Tickets :: [#10477] default setting for inline images: give link to show them

6.0.0-beta1

7/27/25

Summary	default setting for inline images: give link to show them
Queue	IMP
Queue Version	4.3.9
Type	Enhancement
State	Rejected
Priority	2. Medium
Owners
Requester	jpratt (at) bluehost (dot) com
Created	09/01/2011 (5078 days ago)
Due
Updated	09/06/2011 (5073 days ago)
Assigned
Resolved	09/01/2011 (5078 days ago)
Milestone
Patch	No

09/06/2011 09:25:44 PM	Michael Slusarz	Comment #6	Reply to this comment
Displaying HTML messages by default is a gigantic security hole that an admin has to make a choice to allow locally. OK can I suggest a better error message, such as HTML view is disabled for security reasons. We already do this in IMP 5 Also, are you saying that this is a gigantic security hole in general for all webmail services, even yahoo and gmail? Or specific to horde? It's a gigantic security hole in general. Yahoo and gmail are not immune to this. And advantage they may have is that their filtering is maintained by a (potentially) large group of engineers who are paid full-time. But that doesn't mean that their filters are foolproof.

09/06/2011 09:17:28 PM	jpratt (at) bluehost (dot) com	Comment #5	Reply to this comment
Displaying HTML messages by default is a gigantic security hole that an admin has to make a choice to allow locally. OK can I suggest a better error message, such as HTML view is disabled for security reasons. Also, are you saying that this is a gigantic security hole in general for all webmail services, even yahoo and gmail? Or specific to horde? Thank you

09/01/2011 11:17:04 PM	Michael Slusarz	Comment #4	Reply to this comment
[Show Quoted Text - 11 lines][Hide Quoted Text] Cpanel support suggested that the default setting is to diplay the message "There are no parts that can be displayed inline." However, we were able to change the config so that it displays "Images have been blocked to protect your privacy. Show Images?" I recommend that the "show images" link be offered as the default setting, not the" no parts that can be displayed inline" message. Please see the attached images for comparison. So if you are not blocking inline images, I presume the "show images' link should already be default, is that correct? This has nothing to do with blocking images. This has to do with displaying HTML parts inline. The default is to NOT allow this (html inline display is false). Displaying HTML messages by default is a gigantic security hole that an admin has to make a choice to allow locally. (The HTML filter shipped with H4 is much better than the H3 filter, but there are still no guarantees).

09/01/2011 09:14:51 PM	jpratt (at) bluehost (dot) com	Comment #3 New Attachment: Screenshot-1.png	Reply to this comment
Cpanel support suggested that the default setting is to diplay the message "There are no parts that can be displayed inline." However, we were able to change the config so that it displays "Images have been blocked to protect your privacy. Show Images?" I recommend that the "show images" link be offered as the default setting, not the" no parts that can be displayed inline" message. Please see the attached images for comparison. So if you are not blocking inline images, I presume the "show images' link should already be default, is that correct?

09/01/2011 08:49:17 PM	Michael Slusarz	Comment #2 State ⇒ Rejected	Reply to this comment
I am informed that the default setting intentionally blocks inline images in Horde (IMP 4.3.9), so email such as newsletters cannot be read. Do you mean images contained in HTML? We don't block inline images. We were able to change the config to offer the reader "show images", which solved the problem, but why isn't this set as default? It should be. There's a reason they are blocked by default. That's a crazy huge security risk to allow automatic loading of a foreign URL upon opening a message.

09/01/2011 05:33:11 PM	jpratt (at) bluehost (dot) com	Comment #1 Priority ⇒ 2. Medium Type ⇒ Enhancement Summary ⇒ default setting for inline images: give link to show them Queue ⇒ IMP Milestone ⇒ Patch ⇒ No New Attachment: Screenshot.png State ⇒ New	Reply to this comment
I am informed that the default setting intentionally blocks inline images in Horde (IMP 4.3.9), so email such as newsletters cannot be read. We were able to change the config to offer the reader "show images", which solved the problem, but why isn't this set as default? It should be. Specifically, we updated is the 'html' config section in /usr/local/cpanel/base/horde/imp/config/mime_drivers.php to get the option to "show images"