API Created Ticket HTML / CSS Formatting

gorka.bull · November 10, 2023, 9:00am

Infos:

Used Zammad version: 6.1.0
Used Zammad installation type: Docker
Operating system: Debian
Browser + version: Chrome 119.0.6045.124

Expected behavior:

When creating a ticket via API, I expect the HTML and CSS rendered correctly.

Actual behavior:

CSS is filtered and no style is show.

Steps to reproduce the behavior:

Create a ticket via API, set content type to text/html. Define an style tag or inline style for a tag.

fliebe92 · November 10, 2023, 10:07am

Hi @gorka.bull. You have to provide more information, with the given information it is not possible to help you.

gorka.bull · November 10, 2023, 11:34am

Send an API Call for creating a ticket, and in the article body define: <h1 style="color: red;">.

The color style is not applied.

fliebe92 · November 10, 2023, 11:44am

It’s not allowed due to html sanitizing.

gorka.bull · November 10, 2023, 1:37pm

Yeah I did realize that. Are there any alternatives, is it possible to disable this sanitization for some users?

MrGeneration · November 10, 2023, 1:39pm

No. The sanitization process is there for very good reasons and cannot be overseeded. By trying or doing so, you’ll run into issues you’ll receive no support for and that are not bugs and thus are no issue candidates.

diankov · November 10, 2023, 10:05pm

But maybe this is possible?

<div style="color:red;">This text is red.</div>

gorka.bull · November 15, 2023, 8:26am

Yes I know. Sanitization should be done for some kind of tags and scripts. But removing CSS styles like colour and background is not necessary at all, is not a risk for security. However, could be fine if the sanitization is done in customer - agent side, assuming is malicious actor, but, what’s the point of doing this via API with an admin account?