#2654 Can't view html email with javascript on it.

open
nobody
5
2009-07-16
2009-07-16
No

Hi all,

Today I recived an email with some javascript code included(from some newsletters) and I SM only show me the subject. I know, JS on an email is not a good idea, but I was wondering if theres some workaround to strip out or invalidate JS codes.

Discussion

  • Jonathan Angliss

    When you say "only show me the subject" does it not show any other part of the body? This sounds like a PHP error occurred, and the page stopped executing. You should see:

    http://squirrelmail.org/docs/admin/admin-11.html#ss11.1

    This will help you diagnose the potential error.

     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16

    You can also use the Message Details plugin to view the full email source and send it to us for diagnosis... unless you can't see the "message details" link. If so, dig the email out of your mail spool manually or use another mail client to get it.

     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16
    • status: open --> pending
     
  • João Lyanderson

    header

     
  • João Lyanderson

    Thanks for the very fast reply.

    So, tried jangliss sugestion, and no, PHP doesn't produce any error at all.
    Just one thing to add here: I ripped off all JS code on this email, sent, and SM shows me everything just fine.

     
  • João Lyanderson

    • status: pending --> open
     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16
    • status: open --> pending
     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16

    Your comments are entirely useless. Are you SURE there are no PHP errors? Maybe your PHP error settings are obfuscating them. Either way, what exactly do you expect us to do when you can't actually explain the problem with sufficient detail and won't provide an example so we can reproduce it? I suggest you file a help request on our mailing list instead, providing ALL of the system details needed so we can reproduce the issue ourselves.

     
  • João Lyanderson

    I'm sorry if my comments are useless, but I guess theres no way to explain this in a more simple way: SM doesn't show any e-mail with javascript on it. There are NO PHP errors, I checked everything and I'm 100% sure. I sent the email source. So what kind of detail you want? I can send you the same email so you can take a look.

     
  • João Lyanderson

    • status: pending --> open
     
  • Jonathan Angliss

    Version information would be handy. Could you also attach the message complete, instead of in parts. The message details plugin should be able to get you the entire body.

     
  • João Lyanderson

    SquirrelMail 1.4.15

     
  • João Lyanderson

    Fixed by ripping off JS code.

     
  • João Lyanderson

    • status: open --> closed
     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16

    You need to send the full message source. Get it out of your mail spool or by viewing the source of the message in SM or another client. What you sent is not the message source - it's pieces thereof. "Fixed by ripping off JS code" is *not* a fix at all -- SM displays any messages that I have seen with JavaScript just fine (by stripping out most of it), and that is how it does and should work. If, in fact, you have found some JavaScript that trips up SM, then we want to fix it the right way, so that SM can handle that JavaScript. The fix should not be for you to have to remove it from your emails.

     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16

    Confirmed as a bug, probably in functions/mime.php, function magicHTML(). When the message is sanitized, the CSS at the top of the body is the only thing left - the body accidentally is removed, too.

     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16
    • status: closed --> open
     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16

    The bug is caused by the < character that is used in some of the JavaScript functions. The HTML sanitizer is probably mistaking it for an opening tag, and thereafter its parsing is horribly broken. This may be a fundamental bug - I'm not sure how feasible a fix will be. Example JavaScript code:

    function checkAll(){
    campo = document.impressao_geral;
    for (i = 0; i < campo.ocorrencias.length; i++)
    {campo.ocorrencias[i].checked = true;}
    }

     
  • João Lyanderson

    Glad to hear it! I "hot fixed" this because it was critical to my aplication. I suspected its was the "<" character...but I couldn't think anything better to do about it. Hope you guys can find a better solution than mine, which I'll glad to share with you if this help.

     
  • Paul Lesniewski

    Paul Lesniewski - 2009-07-16

    When sanitizing, function sq_sanitize() loops through the body, getting each tag by calling function sq_getnxtag(). Function sq_getnxtag() calls function sq_findnxstr(), which merely finds the next < character and blindly assumes it's the next opening bracket for a tag declaration. Then function sq_skipspace() is called to effectively remove any space between the < and the tag name, so the previous example becomes something like a tag called <campo>. This tag is not a known tag (no big deal), but the fact that it is not then closed later probably trips up the parser.

    It'd be nice to say we can look for tags by finding < followed immediately by a letter a-z (no spaces allowed), however, I think we allow spaces because some browsers will allow such tags. This may be something we have to implement in our development stream, particularly if we move to a whitelist-based HTML sanitizer.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks