Sat, 22 Nov 2008 12:04:38 -0500 http://bugs.horde.org/ticket/6891 HTML messages created with IMP and FCKEDIT have formatting stripped while viewing with IE6/7 If you receive an HTML formatted message created in IMP.. when you view it in IE6/7, IMP will strip some of the formatting in the name of protecting us from XSS... <h1><span XSSCleaned="color: rgb(255, 0, 0);"><strong> <span XSSCleaned="font-size: xx-large;"> <span XSSCleaned="font-family: Verdana;">Red<br /> </span></span></strong></span></h1> You can view the message properly using the same IMP installation and other browsers / platforms. The problem mostly seems to be with "spans" and "styles". I've also seen it strip formatting from Mail.app messages. Tue, 10 Jun 2008 15:16:08 -0400 http://bugs.horde.org/ticket/6891#t46210 What's the bug/action here though? IE allows javascript in inline styles (expression: ...), so we have to strip them. Tue, 10 Jun 2008 15:26:01 -0400 http://bugs.horde.org/ticket/6891#t46212 Ah. Is this documented someplace? (e.g. "When using IE, we strip some formating because IE allows JS to be embedded in style information...") Mostly, I think our help desk was expecting the same messages to be displayed the same across browsers.. and I was surprised that IMP + IE was filtering some stuff in the name of XSS protection, when it wasn't on other browsers. Tue, 10 Jun 2008 15:45:18 -0400 http://bugs.horde.org/ticket/6891#t46214 > Is this documented someplace? (e.g. "When using IE, we strip some > formating because IE allows JS to be embedded in style > information...") Probably not anywhere user-visible. Suggestions on where that might usefully go would be welcome. Thu, 12 Jun 2008 14:32:07 -0400 http://bugs.horde.org/ticket/6891#t46342 Not closing out the possibility of doc improvements, but we can either reopen this, or you can post them elsewhere. Mon, 30 Jun 2008 14:55:59 -0400 http://bugs.horde.org/ticket/6891#t47027