Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Bug: Sanitzing with hmlawed, redactor and js > code tag in frontend is ignored and will be rendered

We know that security is an important fact in a public helpdesk. If you like to use osTicket as support system for software, web hosting etc. it's important that you can use in tickets, knowledgebase and pages the <code> tag with none interpreted code. To display code correctly between the code tages it's standard to use html entities.

The html entities are converted and interpreted by the osTicket sanitizing functions as running code. This will lead that e.g. <code>&lt;h1&gt;Heading 1&lt;/h1&gt;</code> will be displayed as a formatted h1.

Please can you help us adjust this? Any hints are really welcome.

Best regards,


  • In order to be able to write code/xml in your messages you need to disable decoding.

    and change from true to false
  • edited June 2017
    @Micke1101: Many thanks for the hint, but changing this line has no effect. This will only disable sanitizing while saving, but if you call the page in the frontend it's sanitized again. The problem is, that osTicket has many places where the code is cleaned, stripped or sanitized.

    We adjusted redactor, htmlawed and js for this and now we can add classes and attributes in richtext while you are logged in as stuff, clients are not allowed to edit html code. We integrated bootstrap in redactor, so you can see, how the content will look. In the backend everything is fine, we will see content in code tags as not rendered code. But in the frontend html entities &lt; or &gt; are converted again into < > and the code is rendered.

    At the moment we created a workaround by adding class "displayCode" to a code tag and executing the following javascript


    to convert html to plain text in the frontend.

    We tested the recommended changing in a original version and it has no effects,because the code is sanitized by redactor, too.

    Any other ideas?
  • @DMTGMBH not sure what you are expecting to happen then, could you show a visual example?
  • The suggested fix from Micke1101 worked from me - yay - this resolves my ticket "Include XML snippet in ticket response - 114673" 
  • @Micke1101 @cjhabs you are right, for submitting tickets via the frontend this will work. But we are looking for a solution for other pages. Any idea?
  • edited June 2017
    @cjhabs Glad it solved your problem :)

    @DMTGMBH ok i've now looked around and everything seems to work except one thing.
    Create tickets - Works
    Create tasks - Works
    Create pages - Works
    Create email template - Works
    Create kb category - Works
    Create kb page - Works
    Editing an entry in a ticket - Works

    Editing Content - Does not work

    The problem is that the characters are interperated before redactor gets them.
    Change to
    return htmlspecialchars( (string) preg_replace('/&(?=(lt|gt);)/', '&amp;', $var), $flags, 'UTF-8', false);
  • @Micke1101 Many thanks for your help, but it doesn't solve our problem.

    We have completely reworked redactor. Some features are: integrated bootstrap css for a wysiwyg preview, allowed classes and styles, using bootstrap components, don't allow clients to edit code and many more. Everything is working fine and correctly displayed in backend as in frontend.

    Except this damn code tags. That means, if we are in the backend all special characters are stored and interpreted well:


    If you switch to the frontend all htmlentities in the code section are converted to characters:


    We created a workaround by adding class "displayCode" all <> in the code section where overwritten in the frontend with html entities by javascript.


    But we would prefer to find the correct place, where the entities in the frontend are converted to characters and adjust this function.
  • Since the changes suggested does work in osTicket 1.10 Vanilla.

    It must be your modifications to redactor that is causing this behaviour.
    Do you have a fork with the changes?
  • edited June 2017
    @Micke1101 Code in <code> tags is correct interpreted by redactor and <> are automatically changed to entities. While saving to database html entities are changed to characters... We will check the saving process.
  • @Micke1101 Many thanks for your help, your tips in combination with some modifications in redactor are delivering the correct results.
Sign In or Register to comment.