Improved article quoting.

OTRS · Sep 11, 2019 · 03ca8f3 · 03ca8f3 · 22tcp · Oct 17, 2019
1 parent 27f9972
commit 03ca8f3
Show file tree

Hide file tree

Showing 5 changed files with 101 additions and 33 deletions.
diff --git a/Kernel/Modules/AgentTicketActionCommon.pm b/Kernel/Modules/AgentTicketActionCommon.pm
@@ -1329,14 +1329,20 @@ sub Run {
         # set Body var to calculated content
         $GetParam{Body} = $Body;
 
-        # Strip out external content if needed.
-        if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-            my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-                String       => $GetParam{Body},
-                NoExtSrcLoad => 1,
-            );
-            $GetParam{Body} = $SafetyCheckResult{String};
-        }
+        my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+            String => $GetParam{Body},
+
+            # Strip out external content if BlockLoadingRemoteContent is enabled.
+            NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+            # Disallow potentially unsafe content.
+            NoApplet     => 1,
+            NoObject     => 1,
+            NoEmbed      => 1,
+            NoSVG        => 1,
+            NoJavaScript => 1,
+        );
+        $GetParam{Body} = $SafetyCheckResult{String};
 
         if ( $Self->{ReplyToArticle} ) {
             my $TicketSubjectRe = $ConfigObject->Get('Ticket::SubjectRe') || 'Re';

diff --git a/Kernel/Modules/AgentTicketCompose.pm b/Kernel/Modules/AgentTicketCompose.pm
@@ -1180,14 +1180,20 @@ sub Run {
             UploadCacheObject => $UploadCacheObject,
         );
 
-        # Strip out external content if needed.
-        if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-            my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-                String       => $Data{Body},
-                NoExtSrcLoad => 1,
-            );
-            $Data{Body} = $SafetyCheckResult{String};
-        }
+        my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+            String => $Data{Body},
+
+            # Strip out external content if BlockLoadingRemoteContent is enabled.
+            NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+            # Disallow potentially unsafe content.
+            NoApplet     => 1,
+            NoObject     => 1,
+            NoEmbed      => 1,
+            NoSVG        => 1,
+            NoJavaScript => 1,
+        );
+        $Data{Body} = $SafetyCheckResult{String};
 
         # restrict number of body lines if configured
         if (

diff --git a/Kernel/Modules/AgentTicketForward.pm b/Kernel/Modules/AgentTicketForward.pm
@@ -295,14 +295,20 @@ sub Form {
         AttachmentsInclude => 1,
     );
 
-    # Strip out external content if needed.
-    if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-        my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-            String       => $Data{Body},
-            NoExtSrcLoad => 1,
-        );
-        $Data{Body} = $SafetyCheckResult{String};
-    }
+    my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+        String => $Data{Body},
+
+        # Strip out external content if BlockLoadingRemoteContent is enabled.
+        NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+        # Disallow potentially unsafe content.
+        NoApplet     => 1,
+        NoObject     => 1,
+        NoEmbed      => 1,
+        NoSVG        => 1,
+        NoJavaScript => 1,
+    );
+    $Data{Body} = $SafetyCheckResult{String};
 
     if ( $LayoutObject->{BrowserRichText} ) {
 

diff --git a/Kernel/Modules/AgentTicketPhone.pm b/Kernel/Modules/AgentTicketPhone.pm
@@ -351,14 +351,20 @@ sub Run {
                 $Article{ContentType} = 'text/plain';
             }
 
-            # Strip out external content if needed.
-            if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-                my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-                    String       => $Article{Body},
-                    NoExtSrcLoad => 1,
-                );
-                $Article{Body} = $SafetyCheckResult{String};
-            }
+            my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+                String => $Article{Body},
+
+                # Strip out external content if BlockLoadingRemoteContent is enabled.
+                NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+                # Disallow potentially unsafe content.
+                NoApplet     => 1,
+                NoObject     => 1,
+                NoEmbed      => 1,
+                NoSVG        => 1,
+                NoJavaScript => 1,
+            );
+            $Article{Body} = $SafetyCheckResult{String};
 
             # show customer info
             if ( $ConfigObject->Get('Ticket::Frontend::CustomerInfoCompose') ) {

diff --git a/scripts/test/Selenium/Agent/AgentTicketForward.t b/scripts/test/Selenium/Agent/AgentTicketForward.t
@@ -175,7 +175,15 @@ $Selenium->RunTest(
             ArticleType => 'email-external',
             SenderType  => 'customer',
             Subject     => 'some short description',
-            Body => '<!DOCTYPE html><html><body>' . $RandomID . '<br /><img src="' . $ImgSource . '"/></body></html>',
+            Body =>
+                '<!DOCTYPE html><html><body>'
+                . $RandomID . '<br /><img src="' . $ImgSource . '"/>'
+                . '<applet code="foo.class"></applet>'
+                . '<object data="bar.swf"></object>'
+                . '<embed src="baz.swf">'
+                . '<svg width="100" height="100"><circle cx="50" cy="50" r="40" fill="yellow" /></svg>'
+                . '<script type="text/javascript">alert(1);</script>'
+                . '</body></html>',
             Charset        => 'utf-8',
             MimeType       => 'text/html',
             HistoryType    => 'EmailCustomer',
@@ -203,6 +211,24 @@ $Selenium->RunTest(
             "BlockLoadingRemoteContent is disabled - external content is loaded"
         );
 
+        # Verify potentially unsafe tags are not present.
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<applet') > -1;"),
+            'APPLET tag is stripped from the quoted content'
+        );
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<embed') > -1;"),
+            'EMBED tag is stripped from the quoted content'
+        );
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<svg') > -1;"),
+            'SVG tag is stripped from the quoted content'
+        );
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<script') > -1;"),
+            'SCRIPT tag is stripped from the quoted content'
+        );
+
         # Enable global external content blocking.
         $Helper->ConfigSettingChange(
             Valid => 1,
@@ -223,6 +249,24 @@ $Selenium->RunTest(
             "BlockLoadingRemoteContent is enabled - external content is not loaded"
         );
 
+        # Verify potentially unsafe tags are not present.
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<applet') > -1;"),
+            'APPLET tag is stripped from the quoted content'
+        );
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<embed') > -1;"),
+            'EMBED tag is stripped from the quoted content'
+        );
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<svg') > -1;"),
+            'SVG tag is stripped from the quoted content'
+        );
+        $Self->False(
+            $Selenium->execute_script("return CKEDITOR.instances.RichText.getData().indexOf('<script') > -1;"),
+            'SCRIPT tag is stripped from the quoted content'
+        );
+
         # Delete created test ticket.
         my $Success = $TicketObject->TicketDelete(
             TicketID => $TicketID,