kMail 5.3.3 pre In several cases, a displayed HTML mail influences the fancy message header's style. See the attached screenshots for reference - the screenshot taken in plain text view shows how the header should look like. The screenshot taken in the HTML view shows how the mail's styles influence the header. Notice the missing borders around the header, the increased title text size and the messed-up formatting of the dspam status line. BTW: The dspam status formatting differs from all other header line formattings, as it's expressed using completely different HTML tags: ***************************************************************************** <tr><th>Date: </th> <td dir="ltr">Di. 25.10.16 11:13</td></tr> <tr><td colspan="2"><div class="spamheader" dir="ltr"><b>Spam Status:</b> <span style="padding-left: 20px;">DSpam <img src="data:image/PNG;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAMAAADpTH4XAAAASFBMVEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///+qqqoAAAD2cKDYAAAAGHRSTlMAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wCysdQaAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAC0lEQVQImWMQxQIAEU8BpQ0ofWgAAAAASUVORK5CYII=" width="20" height="5" style="border: 1px solid black;" title="Mit 0.00 %iger Wahrscheinlichkeit Spam (Vertrauensniveau: 99.37 %). Ausführlicher Bericht: Wahrscheinlichkeit=0.0000 Vertrauensniveau=0.9937"> 99.37% </span></div></td></tr> ***************************************************************************** Reproducible: Always
where is the screenshot ?:)
Created attachment 101814 [details] Correct header in plain text view.
Created attachment 101815 [details] Header re-formatted by the displayed HTML mail.
Whoops, sorry. Attached. Did I mention that the "missing attachment warner" is one of kMail's most valuable features? :-D
Created attachment 101831 [details] email message used for the screenshots Sorry, I also forgot to attach the testcase message... :-( Here it is.
Still an issue in 5.18.3 (apparently this version is not available in drop down menu). This is actually an issue in messageviewer. It happens because the HTML message's header (including style) is used for the full message view, to which the header and attachment footers are added. So any HTML message style not explicitly overridden in the header theme, but different from the default KMail style can wreak havoc on the header. This cannot reasonably be fixed is the header themes. What should happen is that the HTML message is displayed in a separate box (iframe or something less intrusive) and that its header is not used for the full message view.
*** Bug 359425 has been marked as a duplicate of this bug. ***
*** Bug 340621 has been marked as a duplicate of this bug. ***
See also 441829, 429393, 317177
*** Bug 441829 has been marked as a duplicate of this bug. ***
*** Bug 429393 has been marked as a duplicate of this bug. ***
As is clear from some bug reports marked as a duplicate of this one, this issue is a security risk. Namely, the HTML's CSS may apply changes in an adversarial way, to, e.g., make phising scams more credible and more difficult to detect by the user. I've added that this is a security risk to the header and increased the importance. I've also indicated that it is still present in the current development branch. What has not yet been mentioned, I think, is that this issue can affect display of attachments. Any ideas for fixing this are welcome. The current rendering engine is far more advanced than it was five years ago, so we may have better options now.
1. I have looked at two webmail clients (Fastmail and Web Outlook) to see how they deal with this issue. They essentially seem to include a div with the HTML email that includes the style element for that email. While this is against the html spec (style may only be introduced in the head element), it seems to work decently. 2. After reading up on the current state of HTML, a possibly spec-compliant fix might be achieved using ‘Web Components’ <https://developer.mozilla.org/en-US/docs/Web/Web_Components>, using templates and/or slots. It seems designed mostly with dynamic pages in mind, bit may be usable even for kmail's relatively simple purpose. How exactly this could be done is not clear to me yet, TBH.