> do you remember last security bug in Internet Explorer? This is *totally* unrelated.
> urls like "http://[EMAIL PROTECTED]@url2/path" are shown as url1 while link > is relative to url2 site. The issue in IE is, those %01 strings can confuse IE and let it *display* another URL (in the statusbar, when the mouse is over the link) as it actually is requesting when the link is clicked. > The attached message shows same bug in my Evolution-1.4.5 + > GtkHTML-3.0.9. As Evolution 1.4.x does *not* show the target URL while the mouse is over the link, this is not related. Evolution 1.5.x does show the target URL. So this can only apply to 1.5.x and later versions. Check the statusbar of 1.5.x versions, if the *displayed* URL matches the *target* URL. > Is it solved or must I open a bugzilla entry? Check it against 1.5.x. Cannot comment without this. This is the link in your attached message (copied from source): <a href=3D"http://www2.bancopopular.es%01%01%01%01%01%01%01%01%01%01%01%01%= 01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%= 01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%= 01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%= [EMAIL PROTECTED]:%38%30/%67%62/%73%65%72%76= %69%6E%2E%70%68%70">https://www2.bancopopular.es/AppBPE/servlet/servin?p_pm= =3Dbo&p_pf=3Dc&p_id=3Desp</a> What you just where referring to in your OP, is a widespread method to only fool braindead users -- or users who do not see the target URL at all (sic, Evolution <= 1.4.x). This is similar to <a href="http://evil.site.com";>saint</a>, where the user only will see the text "saint" *inside* the message. This is just plain HTML and *must* be this way. Anything else would be dead wrong. Any sensitive Browser and Mailer will show the target link in the statusbar, while the mouse is over the link. Evolution 1.4.x does not do this. Evolution 1.5.x does it, but I don't know if it may fail. IE does show it, but it *decodes* the target URL and may display only parts of it when certain strings (like the %01) are a part of the target URL (the href value). Hope, this explained the issue. We still do not know how Evolution 1.5.x will actually *display* the target URL in the status bar when handling your attached message. ...guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} _______________________________________________ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
