[imp] Problems with viewing inline HTML

gpreston@ycp.edu gpreston@ycp.edu
Mon, 22 Jul 2002 14:08:35 -0400 

So would the best fix for this problem be to tweak imp/lib/MIME/Viewer/html.php
to suit my needs, or would this be better taken care of somewhere else?

-Gabe

Quoting Eric Rostetter <eric.rostetter@physics.utexas.edu>:

> Quoting gpreston@ycp.edu:
> 
> > I've got a small problem when trying to view an email that is HTML.
> 
> If done by a malicious site, this could become a big problem... ;0
> 
> > I have it
> > set to view the email inline
> 
> And you hopefully read the comments when you enabled it about how dangerous
> this is?  I only recommend doing this is you have something pre-filter
> the html, as IMP doesn't do a terribly effective job of filtering out
> malicious code (though it tries).
> 
> > problem- The links at the bottom of the page are sometimes screwed up. 
> They
> 
> This can happen whenever the html contains a BASE tag.  Only way to fix it
> is to disable BASE tags.  Personnaly I disable all of the tags in 
> (META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|LAYER|BASE|STYLE) myself.
> 
> > The
> > only thing I can see that is causing this is that some of these HTML
> emails
> > that
> > I'm viewing have a new target set for links, and are calling in their own
> > remote
> > CSS files and this is conflicting with all of IMP's links at the bottom of
> > the
> > page.
> 
> You're lucky if it is only the links at the bottom. If done right it can
> muck with (redirect) all the links on the page. ;)
> 
> > Is anyone else experiencing this problem or am I the only one who's
> > noticed this, and, does anyone know a quick fix to this problem?
> 
> Nope, it is a "known problem" in the world of web mail.  Don't remember
> any recent discussions of this on the IMP lists, but it is not IMP 
> specific either.  This kind of issue (not filtering active html tags)
> can cause vulnerabilities in almost any html-rendering email client.
> The best way to solve it is to filter the html before it gets to the
> clients...
> 
> -- 
> Eric Rostetter
> The Department of Physics
> The University of Texas at Austin
> 
> "TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
> to a brand, platform, product line, or programming language. It's relatively
> harmless among the rank and file, but when management is afflicted the
> damage
> can be measured in dollars. It's also contagious -- someone with sufficient
> political clout can infect an entire organization."
> 
> --"Enterprise Strategies" columnist Tom Yager.
>