377247 – kMail 2 does not properly escape header

Bug 377247 - kMail 2 does not properly escape header

Summary: kMail 2 does not properly escape header

Status:	RESOLVED FIXED

Alias:	None

Product:	kmail2
Classification:	Applications
Component:	UI (show other bugs)
Version:	5.4.1
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-05 16:47 UTC by Gunter Ohrner
Modified:	2017-03-06 12:31 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:	https://commits.kde.org/messagelib/3b0126cd9d716091f53b26cd0f03e9ced624126b
Version Fixed In:	5.4.3

Attachments
Example Message (716 bytes, message/rfc822) 2017-03-06 10:13 UTC, Gunter Ohrner	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Gunter Ohrner 2017-03-05 16:47:02 UTC

kMail does not escape the "Sender" headers contents properly before interpreting the mail text as HTML.

This issue basically is the same as Bug 361173 (Disposition-Notification-To not correctly escaped in message viewer), just with a different header - maybe the same problem still lingers for other headers as well?

Here follows an excerpt of a message's "view source / HTML" view:

-------------------------------------------------------------------
<div class="row">
 <div class="headerleft">Sender:</div>
 <div class="headerright">Gunter Ohrner <senderaddress@example.com></senderaddress@example.com></div>
</div>
-------------------------------------------------------------------

The original "Sender" header contained "Gunter Ohrner <senderaddress@example.com>" and the brackets should have been escaped instead of being interpreted as HTML tags...

Also, for other headers which may contain mail addresses, those addresses are converted to links by kMail, which would also be a good idea for "Sender" header. (I think this is not done for the "Disposition-Notification-To" after the fix, for whatever reason?)

Comment 1 Gunter Ohrner 2017-03-05 16:50:46 UTC

Additional info: I'm currently using the "kMail 5.2" header style, as my kMail 5.4.1 does not offer any other at the moment...

Comment 2 Laurent Montel 2017-03-06 09:16:50 UTC

Hi,
is it possible to provide test case ?
Thanks 
regards

Comment 3 Gunter Ohrner 2017-03-06 10:13:56 UTC

Created attachment 104399 [details]
Example Message

A tiny example message is attached.

HTML control character can possibly be contained in most header fields, I guess, so those probably should be escaped by default in general and independent of the currently selected header style.

In addition, detected mail addresses probably should always be crosslinked. (Which, for example, does not seem to be the case for the Disposition-Notification-To header field.)

Comment 4 Laurent Montel 2017-03-06 12:31:03 UTC

Git commit 3b0126cd9d716091f53b26cd0f03e9ced624126b by Montel Laurent.
Committed on 06/03/2017 at 12:30.
Pushed by mlaurent into branch 'Applications/16.12'.

Fix Bug 377247 - kMail 2 does not properly escape header

FIXED-IN: 5.4.3

M  +1    -1    messageviewer/src/header/grantleeheaderformatter.cpp

https://commits.kde.org/messagelib/3b0126cd9d716091f53b26cd0f03e9ced624126b