mantisbt-plugins / VEditor

MIT License
2 stars 0 forks source link

Compatibility with plugin “mailtemplate” #3

Open ms-nthiele opened 5 months ago

ms-nthiele commented 5 months ago

Activating the VEditor plugin results in Mantis emails that have been enhanced with the “mailtemplate” plugin no longer containing correct HTML.

To solve this problem, the option “html_disable_str” can be set to 1. Does this affect other functions? If necessary, I create a pull request and add a function that queries whether the plugin is active and changes the default value. https://github.com/mantisbt-plugins/VEditor/blob/e43229a7d82d8f92dbc16438edef10b85735e5a4/VEditor.php#L302

Plugin: https://github.com/mantisbt-plugins/mailtemplate

pysiek634 commented 5 months ago

Unfortunately, I have not used the mailtemplate plugin before. In general, using mailtemplate plugin with VEditor can be dangerous due to the fact that the validation of the entered HTML code is performed while displaying the data. If such HTML code from the comment is sent via email, some malicious javascript code may be executed. VEditor allows sending emails with HTML, provided that the responsibility for its content will be on the side of the plugin that generates it. This is exactly the option you found in the code is for. However, it should not be changed by changing the VEditor plugin code. It should contain a non-empty string that generate the plugin that sends the emails, which is responsible for the validation of the content.
In your example, you propose to set the value '1'. This will work, of course, if always provide that '1' occurs in the every email message. (Mayby better is '-' ). I would suggest taking a closer look at the security of the generated HTML code. If you want to block the conversion of HTML to plain text, then you can set a global variable in config_inc.php, mailtemplate code or as database configuration option.

$g_plugin_VEditor_html_disable_str = '1';

However, it is better to set this variable to an any longer string, which has to set by the code that generates emails, after checking and validating the HTML message code.

For my part, I will look into the possibility of saving the already validated HTML code to Mantis tables. In the current version of the plugin, it can't be fully trusted.