6.0.0-git
2019-04-24

[#7380] strip style attributes code and Firefox 3.0.1 (Mozilla 5)
Summary strip style attributes code and Firefox 3.0.1 (Mozilla 5)
Queue Horde Base
Queue Version 3.2.2
Type Bug
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester agerhard (at) usp (dot) br
Created 2008-09-23 (3865 days ago)
Due
Updated 2008-09-24 (3864 days ago)
Assigned 2008-09-23 (3865 days ago)
Resolved 2008-09-24 (3864 days ago)
Milestone
Patch No

History
2008-09-24 17:17:22 Jan Schneider Comment #7
Assigned to Jan Schneider
State ⇒ Resolved
Reply to this comment
We filter out "position: absolute" styles now.
2008-09-24 17:16:50 CVS Commit Comment #6 Reply to this comment
2008-09-24 17:16:40 agerhard (at) usp (dot) br Comment #5 Reply to this comment
That being said, we *do* filter out style tags for any browser when
rendering those messages inline. It's a bug if that doesn't happen.
But the style tags are not being filtered out, because of the Mozilla
version.
style tags != style attributes
Sorry, what I mean are the style attributes . Those are that are not being

filtered out as they should.


2008-09-24 16:54:31 Jan Schneider Comment #4 Reply to this comment
That being said, we *do* filter out style tags for any browser when
rendering those messages inline. It's a bug if that doesn't happen.
But the style tags are not being filtered out, because of the Mozilla
version.
style tags != style attributes
2008-09-23 21:45:59 agerhard (at) usp (dot) br Comment #3
New Attachment: bad_message.txt Download
Reply to this comment
This has nothing to do with each other. It's always possible that an
HTML message is breaking the page layout, you have to live with that
if you enable inline rendering of HTML messages.
Yes, I know.
That being said, we *do* filter out style tags for any browser when
rendering those messages inline. It's a bug if that doesn't happen.
But the style tags are not being filtered out, because of the Mozilla version.

The code from html.php is:



$strip_style_attributes = (($browser->isBrowser('mozilla') &&

                                     $browser->getMajor() == 4) ||

                                    $browser->isBrowser('msie'));



So when $browser->getMajor() == 5, $strip_style_attributes = 0



If I change the code to accept the 5 version, then strip_style_attributes = 1

and the page is rendered ok.
Please upload an example message.
Uploaded as an attachment.
2008-09-23 21:18:18 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
This has nothing to do with each other. It's always possible that an 
HTML message is breaking the page layout, you have to live with that 
if you enable inline rendering of HTML messages.

That being said, we *do* filter out style tags for any browser when 
rendering those messages inline. It's a bug if that doesn't happen. 
Please upload an example message.
2008-09-23 20:53:43 agerhard (at) usp (dot) br Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ strip style attributes code and Firefox 3.0.1 (Mozilla 5)
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
Reply to this comment
I have a HTML email message that is not rendered correctly in IMP (it 
mixes with the IMP code).



I think that the correct behavior is to strip the style tags, but this 
didn't happens in Firefox 3.0.1.



There is a test in lib/Horde/MIME/Viewer/html.php that checks for the 
major version of Mozilla.

This triggers the strip style attributes code / regexp in xss.php.



But It is checking only against version 4; Firefox 3.0.1 major version 
is 5, so the strip style code

doesn't runs.

Saved Queries