django-helpdesk/templates/helpdesk/public_view_ticket.html
Ross Poulton 738a88a5aa * Fix an XSS hole: No user-sourced HTML is displayed at all. Descriptions, resolutions and followup comments are treated as text using force_escape and linebreaksbr template filters. (Issue #39)
* Incoming email also handled slightly differently: If an email has both HTML and Plain-text parts, the plain text is used in the ticket description and/or followup comment fields. The HTML portion is attached as 'email_html_body.html' so it can be viewed by the user. If an HTML-only email is received, the body is entered as "View attachment for body". (Issue #39)
2009-01-19 09:40:14 +00:00

58 lines
2.1 KiB
HTML

{% extends "helpdesk/public_base.html" %}{% load i18n %}
{% block helpdesk_title %}{% trans "View a Ticket" %}{% endblock %}
{% block helpdesk_body %}
<table width='100%'>
<tr class='row_tablehead'><td colspan='2'>{{ ticket.id }}. {{ ticket.title }} [{{ ticket.get_status }}]</td></tr>
<tr class='row_columnheads'><th colspan='2'>{% blocktrans with ticket.queue as queue_name %}Queue: {{ queue_name }}{% endblocktrans %}</th></tr>
<tr class='row_odd'>
<th>{% trans "Submitted On" %}</th>
<td>{{ ticket.created|date:"r" }} ({{ ticket.created|timesince }} ago)</td>
</tr>
<tr class='row_even'>
<th>{% trans "Submitter E-Mail" %}</th>
<td>{{ ticket.submitter_email }}</td>
</tr>
<tr class='row_odd'>
<th>{% trans "Priority" %}</th>
<td>{{ ticket.get_priority_display }}</td>
</tr>
<tr class='row_even'>
<th colspan='2'>{% trans "Description" %}</th>
</tr>
<tr class='row_odd'>
<td colspan='2'>{{ ticket.description|linebreaksbr }}</td>
</tr>
{% if ticket.resolution %}<tr class='row_even'>
<th colspan='2'>{% trans "Resolution" %}{% ifequal ticket.get_status_display "Resolved" %} <a href='?close'><img src='{{ MEDIA_URL }}/helpdesk/buttons/accept.png' alt='{% trans "Accept" %}' title='{% trans "Accept and Close" %}' width='60' height='15' /></a>{% endifequal %}</th>
</tr>
<tr class='row_odd'>
<td colspan='2'>{{ ticket.resolution }}</td>
</tr>{% endif %}
</table>
{% if ticket.followup_set.public_followups %}
<h3>{% trans "Follow-Ups" %}</h3>
{% load ticket_to_link %}
{% for followup in ticket.followup_set.public_followups %}
<div class='followup'>
<div class='title'>{{ followup.title }} <span class='byline'>{% if followup.user %}by {{ followup.user }}{% endif %} <span title='{{ followup.date|date:"r" }}'>{{ followup.date|timesince }} ago</span></span></div>
{{ followup.comment|force_escape|num_to_link|linebreaksbr }}
{% if followup.ticketchange_set.all %}<div class='changes'><ul>
{% for change in followup.ticketchange_set.all %}
<li>{% blocktrans %}Changed {{ change.field }} from {{ change.old_value }} to {{ change.new_value }}.{% endblocktrans %}</li>
{% endfor %}
</div></ul>{% endif %}
</div>
{% endfor %}
{% endif %}
{% endblock %}