Tickets :: [#7380] strip style attributes code and Firefox 3.0.1 (Mozilla 5)

6.0.0-beta1

7/22/25

Summary	strip style attributes code and Firefox 3.0.1 (Mozilla 5)
Queue	Horde Base
Queue Version	3.2.2
Type	Bug
State	Resolved
Priority	2. Medium
Owners	jan (at) horde (dot) org
Requester	agerhard (at) usp (dot) br
Created	09/23/2008 (6146 days ago)
Due
Updated	09/24/2008 (6145 days ago)
Assigned	09/23/2008 (6146 days ago)
Resolved	09/24/2008 (6145 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

09/24/2008 05:17:22 PM	Jan Schneider	Comment #7 Assigned to Jan Schneider State ⇒ Resolved	Reply to this comment
We filter out "position: absolute" styles now.

09/24/2008 05:16:50 PM	CVS Commit	Comment #6	Reply to this comment
Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/imp/lib/MIME/Viewer/html.php?r1=1.148&r2=1.149&ty=u

09/24/2008 05:16:40 PM	agerhard (at) usp (dot) br	Comment #5	Reply to this comment
That being said, we do filter out style tags for any browser when rendering those messages inline. It's a bug if that doesn't happen. But the style tags are not being filtered out, because of the Mozilla version. style tags != style attributes Sorry, what I mean are the style attributes . Those are that are not being filtered out as they should.

09/24/2008 04:54:31 PM	Jan Schneider	Comment #4	Reply to this comment
That being said, we do filter out style tags for any browser when rendering those messages inline. It's a bug if that doesn't happen. But the style tags are not being filtered out, because of the Mozilla version. style tags != style attributes

09/23/2008 09:45:59 PM	agerhard (at) usp (dot) br	Comment #3 New Attachment: bad_message.txt	Reply to this comment
This has nothing to do with each other. It's always possible that an HTML message is breaking the page layout, you have to live with that if you enable inline rendering of HTML messages. Yes, I know. That being said, we do filter out style tags for any browser when rendering those messages inline. It's a bug if that doesn't happen. But the style tags are not being filtered out, because of the Mozilla version. The code from html.php is: $strip_style_attributes = (($browser->isBrowser('mozilla') && $browser->getMajor() == 4) \|\| $browser->isBrowser('msie')); So when $browser->getMajor() == 5, $strip_style_attributes = 0 If I change the code to accept the 5 version, then strip_style_attributes = 1 and the page is rendered ok. Please upload an example message. Uploaded as an attachment.

09/23/2008 09:18:18 PM	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
This has nothing to do with each other. It's always possible that an HTML message is breaking the page layout, you have to live with that if you enable inline rendering of HTML messages. That being said, we do filter out style tags for any browser when rendering those messages inline. It's a bug if that doesn't happen. Please upload an example message.

09/23/2008 08:53:43 PM	agerhard (at) usp (dot) br	Comment #1 Priority ⇒ 2. Medium Type ⇒ Bug Summary ⇒ strip style attributes code and Firefox 3.0.1 (Mozilla 5) Queue ⇒ Horde Base Milestone ⇒ Patch ⇒ No State ⇒ Unconfirmed	Reply to this comment
I have a HTML email message that is not rendered correctly in IMP (it mixes with the IMP code). I think that the correct behavior is to strip the style tags, but this didn't happens in Firefox 3.0.1. There is a test in lib/Horde/MIME/Viewer/html.php that checks for the major version of Mozilla. This triggers the strip style attributes code / regexp in xss.php. But It is checking only against version 4; Firefox 3.0.1 major version is 5, so the strip style code doesn't runs.