In reviewing the API for Creating a Ticket Freshdesk, I Noticed the description attribute accepts HTML and there is no plaintext option available. Given the obvious security concerns of accepting untrusted html with no plaintext option, I was curious to know:
- What kind of sanitation/encoding is done on the Freshdesk side before this html would surface to a support agent?
- Is this sanitation the same as if the user submitted via the help center form
/support/tickets/new? - Do you provide any general guidance to clients using html fields via the API?
- What about general guidance for support agents that view tickets? (i.e. warnings about not clicking potentially malicious links, phishing, etc)
For example, I ran a test against the API:
Example description payload:
“<div>TEST - This is a pretend malicious link <a href="https://www.google.com" onclick="alert(\'test\')">click here</a></div>”
What html actually gets displayed in the support portal:
<div>TEST - This is a pretend malicious link <a href=https://www.google.com rel="noreferrer" target="_blank" heap-ignore="true" class="_ar_hide_" _ar_hide_="width:62px;height:16px;margin:0px;position:static;display:inline-block;">click here</a>
</div>
So it’s good to see the onclick attribute is removed, but the href renders fine, so it seems at a minimum that agents need to be careful about clicking any potential links in the ticket description body.
Could you provide guidance on the 4 questions I listed above?