API Ticket - Allow HTML in details

ichabot

Hi!

I'm creating tickets via the ITFlow API from TacticalRMM webhook alerts. What formatting options are supported in the ticket_details field? Can I use HTML, rich text, or at minimum line breaks for better readability?

johnny

hey @ichabot

Here is the current POST code for creating tickets via the API

if (isset($_POST['ticket_details'])) {

    $details = sanitizeInput($_POST['ticket_details']) . "<br>";

} elseif ($ticket_row) {

    $details = $ticket_row['ticket_details'];

} else {

    $details = '< blank ><br>';

im sure if we replace sanitizeInput with mysqliescapestrings() it would accept html but currently it does not

wrongecho

For reference sanitizeInput is currently:

function sanitizeInput($input)
{
    global $mysqli;

    if (!empty($input)) {
        // Detect encoding
        $encoding = mb_detect_encoding($input, ['UTF-8', 'ISO-8859-1', 'Windows-1252', 'ISO-8859-15'], true);

        // If not UTF-8, convert to UTF8 (primarily Windows-1252 is problematic)
        if ($encoding !== 'UTF-8') {
            $input = mb_convert_encoding($input, 'UTF-8', $encoding);
        }
    }

    // Remove HTML and PHP tags
    $input = strip_tags((string) $input);

    // Remove white space from beginning and end of input
    $input = trim($input);

    // Escape special characters
    $input = mysqli_real_escape_string($mysqli, $input);

    // Return sanitized input
    return $input;
}

This is because we don't usually want HTML in the database but we actually shouldn't be using this for ticket details as we do allow that and display it appropriately using HTMLPurifier.

ichabot

Thanks alot for explaning that.