Bug 441829

Summary: Rendering of HTML can bleed over message headers
Product: [Applications] kmail2 Reporter: simon
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: bugs.kde.org, jjm, montel
Priority: NOR    
Version: 5.15.3   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Rendering
HTML - from phisher - be careful
mbox format spam

Description simon 2021-08-31 19:17:29 UTC
Created attachment 141198 [details]
Rendering

SUMMARY

STEPS TO REPRODUCE
1. Received spam email 
2. View in Kmail with HTML enabled.

OBSERVED RESULT

The spammer HTML is rendered bleeding over the message list component, this allows the scammer to fake information, as well as making their phishing attack more effective.

EXPECTED RESULT

The mail client will prevent the email content corrupting the display of message metadata, so that users can make informed choices, and are less likely to be fooled.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 5.20.5
KDE Frameworks Version: 5.78.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
Comment 1 simon 2021-08-31 19:22:50 UTC
Created attachment 141199 [details]
HTML - from phisher - be careful

Attaching the decoded HTML from the email. Although I wouldn't have thought it useful for fixing the issues, it might help reproduce the test case.
Comment 2 Laurent Montel 2021-09-01 06:18:22 UTC
Is it possible to save email as mbox and send me it (in private as you want).
Thanks
Comment 3 Jonathan Marten 2021-09-01 12:12:32 UTC
Duplicate of 429393?
Comment 4 simon 2021-09-01 12:35:46 UTC
Created attachment 141217 [details]
mbox format spam
Comment 5 simon 2021-09-01 12:43:04 UTC
Agree on duplicate of 429393, although the description there isn't clear that the HTML can alter the headers entirely that is only picked up on in the comments.
Comment 6 Erik Quaeghebeur 2022-01-01 10:10:50 UTC

*** This bug has been marked as a duplicate of bug 371656 ***