Guidance on html-based API attributes and agents using the ticketing portal safely

In reviewing the API for Creating a Ticket Freshdesk, I Noticed the description attribute accepts HTML and there is no plaintext option available. Given the obvious security concerns of accepting untrusted html with no plaintext option, I was curious to know:

1. What kind of sanitation/encoding is done on the Freshdesk side before this html would surface to a support agent?
2. Is this sanitation the same as if the user submitted via the help center form /support/tickets/new ?
3. Do you provide any general guidance to clients using html fields via the API?
4. What about general guidance for support agents that view tickets? (i.e. warnings about not clicking potentially malicious links, phishing, etc)

For example, I ran a test against the API:

Example description payload:

“<div>TEST - This is a pretend malicious link <a href="https://www.google.com" onclick="alert(\'test\')">click here</a></div>”

What html actually gets displayed in the support portal:

<div>TEST - This is a pretend malicious link <a href=https://www.google.com rel="noreferrer" target="_blank" heap-ignore="true" class="_ar_hide_" _ar_hide_="width:62px;height:16px;margin:0px;position:static;display:inline-block;">click here</a>
</div>

So it’s good to see the onclick attribute is removed, but the href renders fine, so it seems at a minimum that agents need to be careful about clicking any potential links in the ticket description body.

Could you provide guidance on the 4 questions I listed above?

We will need to involve the right product API team to help you with your questions.

We put you in touch with them → Ticket

1. What kind of sanitation/encoding is done on the Freshdesk side before this HTML would surface to a support agent?

The app sanitizes the HTML tags, attributes, and style elements which can be used for malicious activities. We filter and remove the tags and attributes whichever causing issues from the user inputs.

2. Is this sanitation the same as if the user submitted via the help center form /support/tickets/new?

The sanitization process remains the same irrespective of whether an Agent submits the content or the end user through email, portal, or other sources. The same process is being applied to tickets or replies/notes being added through the API.

3. Do you provide any general guidance to clients using html fields via the API?

We have a list of safe elements that avoid javascript injections and execution in the environment, and only these are allowed in the HTML content.

"a", "abbr", "acronym", "address", "audio", "b", "bdo", "blockquote", "br", "caption", "cite", "code", "col", "colgroup", "dd", "del", "details", "dfn", "dl", "div", "dt", "em", "font", "figcaption", "figure", "h1", "h2", "h3", "h4", "h5", "h6", "hgroup", "hr", "i", "img", "ins", "kbd", "li", "mark", "ol", "p", "pre", "q", "rp", "rt", "ruby", "s", "samp", "section", "summary", "small", "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "time", "tr", "tt", "u", "ul", "var", "wbr", "span", "source", "video"

4. What about general guidance for support agents that view tickets? (i.e. warnings about not clicking potentially malicious links, phishing, etc)

Currently, we do not have a mechanism to warn agents when clicking on links to external websites. Warning message for the external hyperlinks is a part of the security roadmap. We’ll keep you posted once we have further updates on this.