Mailing List Archive: Request Tracker: Users

Inline screenshots

Index | Next | Previous | View Threaded

rosewood at gmx

May 9, 2012, 9:08 PM

Post #1 of 9 (880 views)
Permalink

Inline screenshots

On the RT Demo site you can paste screenshots into the ticket, like this:
http://dl.dropbox.com/u/7981096/rtticket.png

But when you submit the ticket the inline screenshot goes away. If you click
the download link you get the raw html showing <img alt=""
src="data:image/png;base64,iVBORw.

Now, if you ATTACH a screenshot, that does show inline.

With all of that said about the demo site, on my clean install of RT 4.0.5,
I can't even paste the screenshot in.

Is there a way to get inline screenshots working? The kind of problems we
are tracking will require multiple screenshots for the ticket and to have
them have to save each screenshot and attach them would really defeat the
purpose of streamlining the process.

Thank you

mirebob at gmail

Jul 19, 2012, 3:59 AM

Post #2 of 9 (769 views)
Permalink

Re: Inline screenshots [In reply to]

Hi rt-users,

I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
authorize IMG elements and src attribute. After that you can see
inline images in ticket history.
In RT4, SrubHTML have been moved to /RT/Interface/Web.pm

Rémi

2012/5/10 <rosewood [at] gmx>:
> On the RT Demo site you can paste screenshots into the ticket, like this:
> http://dl.dropbox.com/u/7981096/rtticket.png
>
> But when you submit the ticket the inline screenshot goes away. If you click
> the download link you get the raw html showing <img alt=""
> src="data:image/png;base64,iVBORw.
>
> Now, if you ATTACH a screenshot, that does show inline.
>
> With all of that said about the demo site, on my clean install of RT 4.0.5,
> I can't even paste the screenshot in.
>
> Is there a way to get inline screenshots working? The kind of problems we
> are tracking will require multiple screenshots for the ticket and to have
> them have to save each screenshot and attach them would really defeat the
> purpose of streamlining the process.
>
> Thank you
>

florin at andrei

Jul 19, 2012, 1:44 PM

Post #3 of 9 (769 views)
Permalink

Re: Inline screenshots [In reply to]

On 07/19/2012 03:59 AM, Rémi wrote:
>
> I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
> authorize IMG elements and src attribute. After that you can see
> inline images in ticket history.
> In RT4, SrubHTML have been moved to /RT/Interface/Web.pm

In RT4, I did this:

--- Web.pm.old 2012-07-19 13:31:31.220050969 -0700
+++ Web.pm 2012-07-19 13:32:10.034169941 -0700
@@ -2867,7 +2867,7 @@
);
$scrubber->deny(qw[*]);
$scrubber->allow(
- qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE
H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
+ qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE
H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
);
$scrubber->comment(0);

But if I include a link to an image in a ticket, all I get is the URL
displayed as text:

http://www.site.com/image.jpg

Does the message need to be formatted as HTML to begin with?

--
Florin Andrei
http://florin.myip.org/

florin at andrei

Jul 19, 2012, 2:12 PM

Post #4 of 9 (765 views)
Permalink

Re: Inline screenshots [In reply to]

On 07/19/2012 01:44 PM, Florin Andrei wrote:
>
> In RT4, I did this:
>
> --- Web.pm.old 2012-07-19 13:31:31.220050969 -0700
> +++ Web.pm 2012-07-19 13:32:10.034169941 -0700
> @@ -2867,7 +2867,7 @@
> );
> $scrubber->deny(qw[*]);
> $scrubber->allow(
> - qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE
> H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
> + qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE
> H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
> );
> $scrubber->comment(0);
>
> But if I include a link to an image in a ticket, all I get is the URL
> displayed as text:
>
> http://www.site.com/image.jpg
>
> Does the message need to be formatted as HTML to begin with?

Oh wait, someone else sent an email from Outlook, formatted as HTML, and
it does look like the image link is displayed online then. So I guess
that's the requirement. RT4 won't display it inline if the original
email was plain text (which makes sense, duh).

--
Florin Andrei
http://florin.myip.org/

ruz at bestpractical

Jul 19, 2012, 2:12 PM

Post #5 of 9 (767 views)
Permalink

Re: Inline screenshots [In reply to]

On Thu, Jul 19, 2012 at 11:44 PM, Florin Andrei <florin [at] andrei> wrote:
> On 07/19/2012 03:59 AM, RÃ©mi wrote:
>>
>>
>> I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
>> authorize IMG elements and src attribute. After that you can see
>> inline images in ticket history.
>> In RT4, SrubHTML have been moved to /RT/Interface/Web.pm
>
>
> In RT4, I did this:
>
> --- Web.pm.old 2012-07-19 13:31:31.220050969 -0700
> +++ Web.pm 2012-07-19 13:32:10.034169941 -0700
> @@ -2867,7 +2867,7 @@
> );
> $scrubber->deny(qw[*]);
> $scrubber->allow(
> - qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
> + qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
> );
> $scrubber->comment(0);
>
> But if I include a link to an image in a ticket, all I get is the URL
> displayed as text:
>
> http://www.site.com/image.jpg
>
> Does the message need to be formatted as HTML to begin with?

Note that such change introduces security vulnerability that is easily
exploitable. People can insert URLs into img's src attribute that
point to RT itself and do some actions on behalf of the user who is
looking at the ticket.

> --
> Florin Andrei
> http://florin.myip.org/

--
Best regards, Ruslan.

mirebob at gmail

Jul 20, 2012, 5:43 AM

Post #6 of 9 (759 views)
Permalink

Re: Inline screenshots [In reply to]

2012/7/19 Ruslan Zakirov <ruz [at] bestpractical>:
> On Thu, Jul 19, 2012 at 11:44 PM, Florin Andrei <florin [at] andrei> wrote:
>> On 07/19/2012 03:59 AM, Rémi wrote:
>>>
>>>
>>> I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
>>> authorize IMG elements and src attribute. After that you can see
>>> inline images in ticket history.
>>> In RT4, SrubHTML have been moved to /RT/Interface/Web.pm
>>
>>
>> In RT4, I did this:
>>
>> --- Web.pm.old 2012-07-19 13:31:31.220050969 -0700
>> +++ Web.pm 2012-07-19 13:32:10.034169941 -0700
>> @@ -2867,7 +2867,7 @@
>> );
>> $scrubber->deny(qw[*]);
>> $scrubber->allow(
>> - qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
>> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
>> + qw[.A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
>> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
>> );
>> $scrubber->comment(0);
>>
>> But if I include a link to an image in a ticket, all I get is the URL
>> displayed as text:
>>
>> http://www.site.com/image.jpg
>>
>> Does the message need to be formatted as HTML to begin with?
>
> Note that such change introduces security vulnerability that is easily
> exploitable. People can insert URLs into img's src attribute that
> point to RT itself and do some actions on behalf of the user who is
> looking at the ticket.
>

In my case I tweek a little more the scrubber to avoid (reduce)
security issues,
the only thing I wanted is the ability to paste en image in the
CKeditor (<img src="data:image/png;base64..... />)
this do the trick after the $scriubber->allow() call.

$scrubber->rules(
img => {
src => qr{^data\:image}i,
alt => 1,
'*' => 0,
},
);

Rémi

>> --
>> Florin Andrei
>> http://florin.myip.org/
>
>
>
> --
> Best regards, Ruslan.

trs at bestpractical

Jul 20, 2012, 9:17 AM

Post #7 of 9 (751 views)
Permalink

Re: Inline screenshots [In reply to]

On 07/20/2012 05:43 AM, RÃ©mi wrote:
> In my case I tweek a little more the scrubber to avoid (reduce)
> security issues,
> the only thing I wanted is the ability to paste en image in the
> CKeditor (<img src="data:image/png;base64..... />)
> this do the trick after the $scriubber->allow() call.
>
> $scrubber->rules(
> img => {
> src => qr{^data\:image}i,
> alt => 1,
> '*' => 0,
> },
> );

In 4.0.6, you can configure this with a clean local overlay and not have
to patch any core RT code. Things to look forward to when you upgrade. ;)

giovanni.martin at adesoft

Jul 25, 2012, 1:41 AM

Post #8 of 9 (709 views)
Permalink

Re: Inline screenshots [In reply to]

good afternoon,

Could you tell us what local variable you mean?
there isn't the release note for the 4.0.6 in the web page.

Thomas Sibley wrote:
>
> On 07/20/2012 05:43 AM, RÃ©mi wrote:
>> In my case I tweek a little more the scrubber to avoid (reduce)
>> security issues,
>> the only thing I wanted is the ability to paste en image in the
>> CKeditor ( "data:image/png;base64..... )
>> this do the trick after the $scriubber->allow() call.
>>
>> $scrubber->rules(
>> img => {
>> src => qr{^data\:image}i,
>> alt => 1,
>> '*' => 0,
>> },
>> );
>
> In 4.0.6, you can configure this with a clean local overlay and not have
> to patch any core RT code. Things to look forward to when you upgrade. ;)
>
>

--
View this message in context: http://old.nabble.com/Inline-screenshots-tp33824848p34200036.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.

trs at bestpractical

Jul 25, 2012, 12:29 PM

Post #9 of 9 (711 views)
Permalink

Re: Inline screenshots [In reply to]

On 07/25/2012 01:41 AM, gmadesoft wrote:
> Could you tell us what local variable you mean?

Local *overlay*, not variable. Something like the following (untested)
dropped into /opt/rt4/local/lib/RT/Interface/Web_Local.pm:

use strict;
use warnings;
package HTML::Mason::Commands;
our %SCRUBBER_RULES;
$SCRUBBER_RULES{img} = {
src => qr{^data:image/}i,
alt => 1,
'*' => 0,
};
1;

In 4.2 we should have most images displayed inline the message body by
default.

> there isn't the release note for the 4.0.6 in the web page.

Yeah, we really should get the release notes up on the main website.
They _are_ archived from the mailing list:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads