I think I've found a couple of holes in the sqwebmail process of
stripping out tags / attributes that cause the loading of remote files
when viewing HTML emails. There are at least 3 cases (I believe) where
sqwebmail will allow external file references to remain in the source
of a message.
It appears that the 'background' attribute of at least certain tags (td
in particular, and almost certainly others) is not being stripped /
filtered out of the code like the src, lowsrc, and href attributes
typically are. According to the HTML specs this is not a legal
attribute to begin with (which likely explains why it's not currently
on the filtered list), but several browsers support its use anyway. So
IMO it needs to be handled if possible.
Also, when investigating this issue, I started considering what else
might have been missed in the current design of the filtering code. So,
I tried sending myself a few messages with CSS-defined images. It seems
that nothing is done about style tags nor style attributes contained
inside other tags. CSS can specify certain properties with url()
definitions -- properties such as background-image, list-style,
background, etc. -- causing the message to load an image, contrary to
expectations. Furthermore, the @import rule in a style tag can cause an
external file to be requested as well.
That's all actually fairly understandable, since filtering specific CSS
declarations out of a particular attribute (or the content of a tag)
might be difficult in a code design which currently seems (at least
apparently) to treat HTML attribute values (and tag contents) basically
as atoms -- i.e. to be discarded as a whole, or used in its entirety as
a portion of a redirected URL. But I think something should be done to
remove any url() values from CSS declarations. And likewise, in the
case of style tags, I think any @import rules should also be removed --
and possibly from any style attributes, in case any browsers improperly
allow @import rules inside style attributes.
So Sam, can you verify this and then correct the first behavior
(background attribute in tags) in an upcoming release? ... And
hopefully, if it's also feasible, work on the issue of style
definitions using @import rules and url() values as well?
Thanks!
-jab
P.S. Sam... Of course, I *am* going to try to work up a patch for at
least the first issue (and hopefully the second one) for you myself.
But if you can get it done fairly quickly, I certainly wouldn't hold my
breath waiting on me, if I were you. :) I mean, I might get to it and
be done quickly, but then again I might not. -- And you certainly know
the code better than I do after all.
- [sqwebmail] Re: background attr and CSS URL's not being st... James A Baker
- [sqwebmail] Re: background attr and CSS URL's not bei... Sam Varshavchik
- Re: [sqwebmail] Re: background attr and CSS URL's... James A Baker
- [sqwebmail] Re: background attr and CSS URL's... Sam Varshavchik
- [sqwebmail] Re: background attr and CSS URL's not... James A Baker
