Bug 429393

Summary: HTML email "leaks" styles into headers
Product: [Applications] kmail2 Reporter: Thomas Tanghus <thomas>
Component: generalAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: normal CC: bugs.kde.org, jjm, montel
Priority: NOR    
Version First Reported In: 5.15.1   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Plain
HTML

Description Thomas Tanghus 2020-11-20 13:02:21 UTC 
SUMMARY
When you view an HTML email sometimes the styles - CSS? - is also changing the header

STEPS TO REPRODUCE
1. Set KMail to use standard headers (Fancy headers also fails)
2. Add Toggle HTML Mode to toolbar (can't find other ways to do it?)
3. View an (some) HTML emails, toggle to HTML mode on each.
4. Watch & Judge

OBSERVED RESULT
The headers changes style

EXPECTED RESULT
The headers should remain the same.

SOFTWARE/OS VERSIONS
Operating System: Kubuntu 20.10
KDE Plasma Version: 5.19.5
KDE Frameworks Version: 5.74.0
Qt Version: 5.14.2
Kernel Version: 5.8.0-30-generic
OS Type: 64-bit

ADDITIONAL INFORMATION
Comment 1 Thomas Tanghus 2020-11-20 13:03:16 UTC 
Created attachment 133497 [details]
Plain
Comment 2 Thomas Tanghus 2020-11-20 13:03:52 UTC 
Created attachment 133498 [details]
HTML
Comment 3 Jonathan Marten 2020-11-21 13:20:41 UTC 
See also bug 317177 for fancy headers.

This is obviously a general problem where any conflicting CSS included in a HTML message body could leak out into the header display.  It may even be possible for a malicious message to hide or change header information, thus becoming a security risk.  This cannot be worked around by filtering styles used by the header out of the message CSS, because KMail cannot know what style elements the header may use - it may have been written by the user or downloaded.

Would it be possible to "sandbox" the message HTML isolated from the header - maybe within an iframe or similar element?
Comment 4 Laurent Montel 2020-11-22 09:09:08 UTC 
could you send me it your email in private ?
Thanks
Comment 5 Thomas Tanghus 2020-11-22 09:29:05 UTC 
(In reply to Laurent Montel from comment #4)
> could you send me it your email in private ?
> Thanks

I have tried to send it to you, but I'm not sure it actually got sent as KMail didn't give any notifications. Let me know if it hasn't arrived.
Comment 6 Laurent Montel 2020-11-22 10:53:24 UTC 
I received it.
Thanks
Comment 7 Laurent Montel 2020-11-23 05:52:49 UTC 
(In reply to Jonathan Marten from comment #3)
> See also bug 317177 for fancy headers.
> 
> This is obviously a general problem where any conflicting CSS included in a
> HTML message body could leak out into the header display.  It may even be
> possible for a malicious message to hide or change header information, thus
> becoming a security risk.  This cannot be worked around by filtering styles
> used by the header out of the message CSS, because KMail cannot know what
> style elements the header may use - it may have been written by the user or
> downloaded.
> 
> Would it be possible to "sandbox" the message HTML isolated from the header
> - maybe within an iframe or similar element?

Hi
iframe can be a good idea but we can't know what is the exact message height so we can have two scrollbar it's not good at the moment.
But isolate message must be a good idea.
I need to continue to investigate it.
Comment 8 Erik Quaeghebeur 2022-01-01 10:22:30 UTC 

*** This bug has been marked as a duplicate of bug 371656 ***