SUMMARY When you view an HTML email sometimes the styles - CSS? - is also changing the header STEPS TO REPRODUCE 1. Set KMail to use standard headers (Fancy headers also fails) 2. Add Toggle HTML Mode to toolbar (can't find other ways to do it?) 3. View an (some) HTML emails, toggle to HTML mode on each. 4. Watch & Judge OBSERVED RESULT The headers changes style EXPECTED RESULT The headers should remain the same. SOFTWARE/OS VERSIONS Operating System: Kubuntu 20.10 KDE Plasma Version: 5.19.5 KDE Frameworks Version: 5.74.0 Qt Version: 5.14.2 Kernel Version: 5.8.0-30-generic OS Type: 64-bit ADDITIONAL INFORMATION
Created attachment 133497 [details] Plain
Created attachment 133498 [details] HTML
See also bug 317177 for fancy headers. This is obviously a general problem where any conflicting CSS included in a HTML message body could leak out into the header display. It may even be possible for a malicious message to hide or change header information, thus becoming a security risk. This cannot be worked around by filtering styles used by the header out of the message CSS, because KMail cannot know what style elements the header may use - it may have been written by the user or downloaded. Would it be possible to "sandbox" the message HTML isolated from the header - maybe within an iframe or similar element?
could you send me it your email in private ? Thanks
(In reply to Laurent Montel from comment #4) > could you send me it your email in private ? > Thanks I have tried to send it to you, but I'm not sure it actually got sent as KMail didn't give any notifications. Let me know if it hasn't arrived.
I received it. Thanks
(In reply to Jonathan Marten from comment #3) > See also bug 317177 for fancy headers. > > This is obviously a general problem where any conflicting CSS included in a > HTML message body could leak out into the header display. It may even be > possible for a malicious message to hide or change header information, thus > becoming a security risk. This cannot be worked around by filtering styles > used by the header out of the message CSS, because KMail cannot know what > style elements the header may use - it may have been written by the user or > downloaded. > > Would it be possible to "sandbox" the message HTML isolated from the header > - maybe within an iframe or similar element? Hi iframe can be a good idea but we can't know what is the exact message height so we can have two scrollbar it's not good at the moment. But isolate message must be a good idea. I need to continue to investigate it.
*** This bug has been marked as a duplicate of bug 371656 ***