subject:"\[kdepim\] \[Bug 371656\] HTML mail styles spill into message header"

[kdepim] [Bug 371656] HTML mail styles spill into message header: security risk

2022-01-02 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

--- Comment #13 from Erik Quaeghebeur  ---
1. I have looked at two webmail clients (Fastmail and Web Outlook) to see how
they deal with this issue. They essentially seem to include a div with the HTML
email that includes the style element for that email. While this is against the
html spec (style may only be introduced in the head element), it seems to work
decently.

2. After reading up on the current state of HTML, a possibly spec-compliant fix
might be achieved using ‘Web Components’
, using templates
and/or slots. It seems designed mostly with dynamic pages in mind, bit may be
usable even for kmail's relatively simple purpose. How exactly this could be
done is not clear to me yet, TBH.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header: security risk

2022-01-01 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

Erik Quaeghebeur  changed:

   What|Removed |Added

   Priority|NOR |HI
Version|5.16.1  |GIT (master)
   Severity|minor   |major
Summary|HTML mail styles spill into |HTML mail styles spill into
   |message header  |message header: security
   ||risk

--- Comment #12 from Erik Quaeghebeur  ---
As is clear from some bug reports marked as a duplicate of this one, this issue
is a security risk. Namely, the HTML's CSS may apply changes in an adversarial
way, to, e.g., make phising scams more credible and more difficult to detect by
the user. I've added that this is a security risk to the header and increased
the importance. I've also indicated that it is still present in the current
development branch.

What has not yet been mentioned, I think, is that this issue can affect display
of attachments.

Any ideas for fixing this are welcome. The current rendering engine is far more
advanced than it was five years ago, so we may have better options now.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header

2022-01-01 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

Erik Quaeghebeur  changed:

   What|Removed |Added

 CC||tho...@tanghus.net

--- Comment #11 from Erik Quaeghebeur  ---
*** Bug 429393 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header

2022-01-01 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

Erik Quaeghebeur  changed:

   What|Removed |Added

 CC||si...@technocool.net

--- Comment #10 from Erik Quaeghebeur  ---
*** Bug 441829 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header

2021-12-31 Thread Jonathan Marten

https://bugs.kde.org/show_bug.cgi?id=371656

Jonathan Marten  changed:

   What|Removed |Added

 CC||j...@keelhaul.me.uk

--- Comment #9 from Jonathan Marten  ---
See also 441829, 429393, 317177

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header

2021-12-31 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

Erik Quaeghebeur  changed:

   What|Removed |Added

 CC||sud...@sudhirkhanger.com

--- Comment #8 from Erik Quaeghebeur  ---
*** Bug 340621 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header

2021-12-31 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

Erik Quaeghebeur  changed:

   What|Removed |Added

 CC||n...@naturalnet.de

--- Comment #7 from Erik Quaeghebeur  ---
*** Bug 359425 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header

2021-12-30 Thread Erik Quaeghebeur

https://bugs.kde.org/show_bug.cgi?id=371656

Erik Quaeghebeur  changed:

   What|Removed |Added

 Ever confirmed|0   |1
 CC||bugs.kde@e3q.eu
 Status|REPORTED|CONFIRMED
Version|5.3.1   |5.16.1
Product|kmail2  |kdepim
  Component|UI  |messageviewer

--- Comment #6 from Erik Quaeghebeur  ---
Still an issue in 5.18.3 (apparently this version is not available in drop down
menu).
This is actually an issue in messageviewer. It happens because the HTML
message's header (including style) is used for the full message view, to which
the header and attachment footers are added. So any HTML message style not
explicitly overridden in the header theme, but different from the default KMail
style can wreak havoc on the header. This cannot reasonably be fixed is the
header themes. What should happen is that the HTML message is displayed in a
separate box (iframe or something less intrusive) and that its header is not
used for the full message view.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kdepim] [Bug 371656] HTML mail styles spill into message header: security risk

[kdepim] [Bug 371656] HTML mail styles spill into message header: security risk

[kdepim] [Bug 371656] HTML mail styles spill into message header

[kdepim] [Bug 371656] HTML mail styles spill into message header

[kdepim] [Bug 371656] HTML mail styles spill into message header

[kdepim] [Bug 371656] HTML mail styles spill into message header

[kdepim] [Bug 371656] HTML mail styles spill into message header

[kdepim] [Bug 371656] HTML mail styles spill into message header

8 matches

Site Navigation

Mail list logo

Footer information