6.0.0-git
2019-04-21

[#10477] default setting for inline images: give link to show them
Summary default setting for inline images: give link to show them
Queue IMP
Queue Version 4.3.9
Type Enhancement
State Rejected
Priority 2. Medium
Owners
Requester jpratt (at) bluehost (dot) com
Created 2011-09-01 (2789 days ago)
Due
Updated 2011-09-06 (2784 days ago)
Assigned
Resolved 2011-09-01 (2789 days ago)
Milestone
Patch No

History
2011-09-06 21:25:44 Michael Slusarz Comment #6 Reply to this comment
Displaying HTML messages by default is a
gigantic security hole that an admin has to make a choice to allow
locally.
OK can I suggest a better error message, such as HTML view is 
disabled for security reasons.
We already do this in IMP 5
Also, are you saying that this is a gigantic security hole in 
general for all webmail services, even yahoo and gmail? Or specific 
to horde?
It's a gigantic security hole in general.  Yahoo and gmail are not 
immune to this.  And advantage they may have is that their filtering 
is maintained by a (potentially) large group of engineers who are paid 
full-time.  But that doesn't mean that their filters are foolproof.
2011-09-06 21:17:28 jpratt (at) bluehost (dot) com Comment #5 Reply to this comment
Displaying HTML messages by default is a gigantic security hole that 
an admin has to make a choice to allow locally.
OK can I suggest a better error message, such as HTML view is disabled 
for security reasons.

Also, are you saying that this is a gigantic security hole in general 
for all webmail services, even yahoo and gmail? Or specific to horde?

Thank you




2011-09-01 23:17:04 Michael Slusarz Comment #4 Reply to this comment

[Show Quoted Text - 11 lines]
This has nothing to do with blocking images.  This has to do with 
displaying HTML parts inline.  The default is to NOT allow this (html 
inline display is false).  Displaying HTML messages by default is a 
gigantic security hole that an admin has to make a choice to allow 
locally.  (The HTML filter shipped with H4 is much better than the H3 
filter, but there are still no guarantees).
2011-09-01 21:14:51 jpratt (at) bluehost (dot) com Comment #3
New Attachment: Screenshot-1.png Download
Reply to this comment
Cpanel support suggested that the default setting is to diplay the 
message "There are no parts that can be displayed inline." However, we 
were able to change the config so that it  displays "Images have been 
blocked to protect your privacy. Show Images?"

I recommend that the "show images" link be offered as the default 
setting, not the" no parts that can be displayed inline" message. 
Please see the attached images for comparison.

So if you are not blocking inline images, I presume the "show images' 
link should already be default, is that correct?
2011-09-01 20:49:17 Michael Slusarz Comment #2
State ⇒ Rejected
Reply to this comment
I am informed that the default setting intentionally blocks inline 
images in Horde (IMP 4.3.9), so email such as newsletters cannot be 
read.
Do you mean images contained in HTML?  We don't block inline images.
We were able to change the config to offer the reader "show images", 
which solved the problem, but why isn't this set as default? It 
should be.
There's a reason they are blocked by default.  That's a crazy huge 
security risk to allow automatic loading of a foreign URL upon opening 
a message.
2011-09-01 17:33:11 jpratt (at) bluehost (dot) com Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 2. Medium
Summary ⇒ default setting for inline images: give link to show them
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
New Attachment: Screenshot.png Download
Reply to this comment
I am informed that the default setting intentionally blocks inline 
images in Horde (IMP 4.3.9), so email such as newsletters cannot be 
read.

We were able to change the config to offer the reader "show images", 
which solved the problem, but why isn't this set as default? It should 
be.

Specifically, we updated is the 'html' config section in 
/usr/local/cpanel/base/horde/imp/config/mime_drivers.php  to get the 
option to "show images"




Saved Queries