31 May
2012
31 May
'12
2:50 p.m.
Hi all, I just discovered an agent adding a note to a ticket. the only text in the note was: “<script>alert(“Hi”);</script>”. when you open the ticket, the javascript code executes and you get the “Hi” alert. I’m not much of a webadmin, I’m more a developer, I’m not that much into web-server security. I’d like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email’s mime type was text/html. Kind regards, Juan Clavero