From 03ca8f396b1aa9933c212a63f52a9ea26c06e7da Mon Sep 17 00:00:00 2001
From: Dusan Vuckovic <dusan.vuckovic@otrs.com>
Date: Wed, 11 Sep 2019 16:28:10 +0100
Subject: [PATCH] Improved article quoting.

---
 Kernel/Modules/AgentTicketActionCommon.pm     | 22 +++++----
 Kernel/Modules/AgentTicketCompose.pm          | 22 +++++----
 Kernel/Modules/AgentTicketForward.pm          | 22 +++++----
 Kernel/Modules/AgentTicketPhone.pm            | 22 +++++----
 .../test/Selenium/Agent/AgentTicketForward.t  | 46 ++++++++++++++++++-
 5 files changed, 101 insertions(+), 33 deletions(-)

--- a/Kernel/Modules/AgentTicketActionCommon.pm
+++ b/Kernel/Modules/AgentTicketActionCommon.pm
@@ -1316,14 +1316,20 @@ sub Run {
         # set Body var to calculated content
         $GetParam{Body} = $Body;
 
-        # Strip out external content if needed.
-        if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-            my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-                String       => $GetParam{Body},
-                NoExtSrcLoad => 1,
-            );
-            $GetParam{Body} = $SafetyCheckResult{String};
-        }
+        my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+            String => $GetParam{Body},
+
+            # Strip out external content if BlockLoadingRemoteContent is enabled.
+            NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+            # Disallow potentially unsafe content.
+            NoApplet     => 1,
+            NoObject     => 1,
+            NoEmbed      => 1,
+            NoSVG        => 1,
+            NoJavaScript => 1,
+        );
+        $GetParam{Body} = $SafetyCheckResult{String};
 
         if ( $Self->{ReplyToArticle} ) {
             my $TicketSubjectRe = $ConfigObject->Get('Ticket::SubjectRe') || 'Re';
--- a/Kernel/Modules/AgentTicketCompose.pm
+++ b/Kernel/Modules/AgentTicketCompose.pm
@@ -1170,14 +1170,20 @@ sub Run {
             UploadCacheObject => $UploadCacheObject,
         );
 
-        # Strip out external content if needed.
-        if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-            my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-                String       => $Data{Body},
-                NoExtSrcLoad => 1,
-            );
-            $Data{Body} = $SafetyCheckResult{String};
-        }
+        my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+            String => $Data{Body},
+
+            # Strip out external content if BlockLoadingRemoteContent is enabled.
+            NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+            # Disallow potentially unsafe content.
+            NoApplet     => 1,
+            NoObject     => 1,
+            NoEmbed      => 1,
+            NoSVG        => 1,
+            NoJavaScript => 1,
+        );
+        $Data{Body} = $SafetyCheckResult{String};
 
         # restrict number of body lines if configured
         if (
--- a/Kernel/Modules/AgentTicketForward.pm
+++ b/Kernel/Modules/AgentTicketForward.pm
@@ -286,14 +286,20 @@ sub Form {
         AttachmentsInclude => 1,
     );
 
-    # Strip out external content if needed.
-    if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-        my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-            String       => $Data{Body},
-            NoExtSrcLoad => 1,
-        );
-        $Data{Body} = $SafetyCheckResult{String};
-    }
+    my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+        String => $Data{Body},
+
+        # Strip out external content if BlockLoadingRemoteContent is enabled.
+        NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+        # Disallow potentially unsafe content.
+        NoApplet     => 1,
+        NoObject     => 1,
+        NoEmbed      => 1,
+        NoSVG        => 1,
+        NoJavaScript => 1,
+    );
+    $Data{Body} = $SafetyCheckResult{String};
 
     if ( $LayoutObject->{BrowserRichText} ) {
 
--- a/Kernel/Modules/AgentTicketPhone.pm
+++ b/Kernel/Modules/AgentTicketPhone.pm
@@ -351,14 +351,20 @@ sub Run {
                 $Article{ContentType} = 'text/plain';
             }
 
-            # Strip out external content if needed.
-            if ( $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent') ) {
-                my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
-                    String       => $Article{Body},
-                    NoExtSrcLoad => 1,
-                );
-                $Article{Body} = $SafetyCheckResult{String};
-            }
+            my %SafetyCheckResult = $Kernel::OM->Get('Kernel::System::HTMLUtils')->Safety(
+                String => $Article{Body},
+
+                # Strip out external content if BlockLoadingRemoteContent is enabled.
+                NoExtSrcLoad => $ConfigObject->Get('Ticket::Frontend::BlockLoadingRemoteContent'),
+
+                # Disallow potentially unsafe content.
+                NoApplet     => 1,
+                NoObject     => 1,
+                NoEmbed      => 1,
+                NoSVG        => 1,
+                NoJavaScript => 1,
+            );
+            $Article{Body} = $SafetyCheckResult{String};
 
             # show customer info
             if ( $ConfigObject->Get('Ticket::Frontend::CustomerInfoCompose') ) {