External HTML links are filtered using API for ticket creation

hitch70 · August 1, 2019, 8:51am

Dear Community,

I’m using Zammad 2.9.x and my question is regarding the usage of the Zammad API to create a ticket.

I’m searching for a solution to add HTML which points to external resources inside the article section. For example, an external image or even an iframe. Only embedded objects are currently working for me.

The default behaviour seems to be that all external HTML references are filtered. Is there a way to change that?

Here are two example of what I’ve tried:

First example:

{
 "title": "Help me!",
 "group": "Users",
 "customer": "...",
 "article": {
 "content_type": "text/html",
 "subject": "Dummy test subject",
 "body": "A message with iframe <iframe src=\"https://....\" style=\"border:0px #ffffff none;\" name=\"myiFrame\" scrolling=\"no\" frameborder=\"1\" marginheight=\"0px\" marginwidth=\"0px\" height=\"800px\" width=\"1024px\"></iframe>",
"internal": false
 },
 "note": "some note"
}

Second example:

{
 "title": "Help me!",
 "group": "Users",
 "customer": "...",
 "article": {
 "content_type": "text/html",
 "subject": "Dummy test subject",
"body": "<b>some</b> message with external image <img src=\"https://....png\">",
"internal": false
 },
 "note": "some note"
}

There are no error messages in the log. Everything goes fine. But in both cases the whole tags iframe and img are filtered out in the resulting ticket.

Is there a way to change this behaviour?

Thanks in advance,

Stephan

thorsteneckel · August 5, 2019, 8:57am

Hi Stephan - welcome to the community! The behavior you are describing is security related because an attacker could steal information or overtake your Zammad session. Therefore Zammad removes all malicious elements. Since there is no way to distinguish between a regular mail or an attackers mail there won’t be a way to disable this for your own security. However, it’s possible to download and open the raw HTML version of the mail from the link below the article. This will open the file outside of the Zammad context and will be therefore safe®.

manish.ray · October 5, 2023, 11:19am

We are using Zammad system through APIs(bearer token for auth) to manage tickets of customer in another application(angular application). Can we bypass this HTML sanitization or get the actual html we sent in body payload with all img tags? What is the workaround to save and get rich HTML content with images?

MrGeneration · October 5, 2023, 11:38am

HTML sanitizing is mandatory and cannot be bypassed.
Please open your own thread if you need help with API calls etc.