Guidance on html-based API attributes and agents using the ticketing portal safely

In reviewing the API for Creating a Ticket Freshdesk, I Noticed the description attribute accepts HTML and there is no plaintext option available. Given the obvious security concerns of accepting untrusted html with no plaintext option, I was curious to know:

  1. What kind of sanitation/encoding is done on the Freshdesk side before this html would surface to a support agent?
  2. Is this sanitation the same as if the user submitted via the help center form /support/tickets/new ?
  3. Do you provide any general guidance to clients using html fields via the API?
  4. What about general guidance for support agents that view tickets? (i.e. warnings about not clicking potentially malicious links, phishing, etc)

For example, I ran a test against the API:

Example description payload:

“<div>TEST - This is a pretend malicious link <a href="https://www.google.com" onclick="alert(\'test\')">click here</a></div>”

What html actually gets displayed in the support portal:

<div>TEST - This is a pretend malicious link <a href=https://www.google.com rel="noreferrer" target="_blank" heap-ignore="true" class="_ar_hide_" _ar_hide_="width:62px;height:16px;margin:0px;position:static;display:inline-block;">click here</a>
</div>

So it’s good to see the onclick attribute is removed, but the href renders fine, so it seems at a minimum that agents need to be careful about clicking any potential links in the ticket description body.

Could you provide guidance on the 4 questions I listed above?

We will need to involve the right product API team to help you with your questions.

We put you in touch with them → Ticket