NAME
RT-Extension-PermissiveHTMLMail - Allows a greater range of HTML in RT,
at the cost of security
SUMMARY
By default, RT displays HTML mail; however, due to security concerns, by
default it does not allow the full range of HTML to be used.
Specifically, it prevents:
Tables
Because RT cannot ensure that HTML in email is balanced, malicious
email messages can use tables to mimic or mask parts of the standard
RT UI. This opens RT to a broad range of "phishing attacks," wherein
the user believes they are clicking a benign RT link, which actually
is controlled by the originator of the email. This can allow
attackers to steal passwords and compromise RT, and possibly other
servers.
Many text styles
CSS is a powerful tool; it can also be used to mimic or mask parts
of the standard RT UI. By default, RT thus only allows a small
subset of CSS properties, which are sufficient for simple styling.
Allowing arbitrary styles could lead to effective "phishing
attacks," compromising passwords.
Installing this extension loosens the above restrictions; this should be
sufficient for most needs. However, RT will still only allow HTML tags
that it recognizes.
Installing this extension also additionally provides a
$AllowDangerousHTML configuration option. Setting this alters RT from
using a whitelist (allowing only HTML tags and attributes which it knows
to be safe) to using a blacklist (skip tags and ributes which are
unsafe). This is unsafe and dangerous, as there are guaranteedly further
unsafe tags which RT does not know to prevent. Enabling this feature
allows your RT account to be compromised by a malicious email. Do not
enable it (via "Set( $AllowDangerousHTML, 1 )") unless you understand
the consequences.
INSTALLATION
"perl Makefile.PL"
"make"
"make install"
May need root permissions
Edit your /opt/rt4/etc/RT_SiteConfig.pm
Add this line:
Set(@Plugins, qw(RT::Extension::PermissiveHTMLMail));
or add "RT::Extension::PermissiveHTMLMail" to your existing @Plugins
line.
Restart your webserver
AUTHOR
Alex Vandiver
BUGS
All bugs should be reported via email to
bug-RT-Extension-PermissiveHTMLMail@rt.cpan.org
or via the web
at rt.cpan.org
.
LICENSE AND COPYRIGHT
This software is Copyright (c) 2013 by Best Practical Solutions, LLC
This is free software, licensed under:
The GNU General Public License, Version 2, June 1991