API Created Ticket HTML / CSS Formatting

Infos:

  • Used Zammad version: 6.1.0
  • Used Zammad installation type: Docker
  • Operating system: Debian
  • Browser + version: Chrome 119.0.6045.124

Expected behavior:

  • When creating a ticket via API, I expect the HTML and CSS rendered correctly.

Actual behavior:

  • CSS is filtered and no style is show.

Steps to reproduce the behavior:

  • Create a ticket via API, set content type to text/html. Define an style tag or inline style for a tag.

Hi @gorka.bull. You have to provide more information, with the given information it is not possible to help you.

Send an API Call for creating a ticket, and in the article body define: <h1 style="color: red;">.

The color style is not applied.

It’s not allowed due to html sanitizing.

Yeah I did realize that. Are there any alternatives, is it possible to disable this sanitization for some users?

No. The sanitization process is there for very good reasons and cannot be overseeded. By trying or doing so, you’ll run into issues you’ll receive no support for and that are not bugs and thus are no issue candidates.

1 Like

But maybe this is possible?

<div style="color:red;">This text is red.</div>

Yes I know. Sanitization should be done for some kind of tags and scripts. But removing CSS styles like colour and background is not necessary at all, is not a risk for security. However, could be fine if the sanitization is done in customer - agent side, assuming is malicious actor, but, what’s the point of doing this via API with an admin account?

1 Like

I see it like you and for me it is absolutely important to highlight some text sometimes to show its importance. There should at least be an option to disable the sanitization for a specific mail or allow specific styles like color, background-color, font-size.

I never wrote anything about security issues. While yes, it also ensures “evil content” is alright, it’s more about ensuring you can actually read the content as good as possible.

Don’t forget. It’s a website technically.