External HTML links are filtered using API for ticket creation

Dear Community,

I’m using Zammad 2.9.x and my question is regarding the usage of the Zammad API to create a ticket.

I’m searching for a solution to add HTML which points to external resources inside the article section. For example, an external image or even an iframe. Only embedded objects are currently working for me.

The default behaviour seems to be that all external HTML references are filtered. Is there a way to change that?

Here are two example of what I’ve tried:

First example:

{
 "title": "Help me!",
 "group": "Users",
 "customer": "...",
 "article": {
 "content_type": "text/html",
 "subject": "Dummy test subject",
 "body": "A message with iframe <iframe src=\"https://....\" style=\"border:0px #ffffff none;\" name=\"myiFrame\" scrolling=\"no\" frameborder=\"1\" marginheight=\"0px\" marginwidth=\"0px\" height=\"800px\" width=\"1024px\"></iframe>",
"internal": false
 },
 "note": "some note"
}

Second example:

{
 "title": "Help me!",
 "group": "Users",
 "customer": "...",
 "article": {
 "content_type": "text/html",
 "subject": "Dummy test subject",
"body": "<b>some</b> message with external image <img src=\"https://....png\">",
"internal": false
 },
 "note": "some note"
}

There are no error messages in the log. Everything goes fine. But in both cases the whole tags iframe and img are filtered out in the resulting ticket.

Is there a way to change this behaviour?

Thanks in advance,

Stephan

Hi Stephan - welcome to the community! The behavior you are describing is security related because an attacker could steal information or overtake your Zammad session. Therefore Zammad removes all malicious elements. Since there is no way to distinguish between a regular mail or an attackers mail there won’t be a way to disable this for your own security. However, it’s possible to download and open the raw HTML version of the mail from the link below the article. This will open the file outside of the Zammad context and will be therefore safe®.