On 3/24/25 12:09 PM, Jens Wahnes wrote:
Hi Patrick,
Patrick Boutilier wrote:
On 2025-03-24 07:16, Jens Wahnes wrote:
One solution I found to filter out the malicious content from emails
like the one Nataša described was to tighten the code used to
sanitize HTML in e-mails. This is found in the imp/lib/Mime/Viewer/
Html.php file. The code in the big "switch" statement of the "_node"
method, around line 435 or so, dealing with "case 'style'", can be
extended to call "removeChild($node)" not only in the sub-case of
'text/css', as already present in the file, but also in the general
case. When I added a statement to that effect, the malicious code
from the email was no longer delivered to the browser. So that's a
solution others may want to try as well, assuming there will be no
official patch or newer version released by Horde maintainers.
Can you provide a patch/diff file for your changes?
It's this code here:
https://github.com/horde/imp/pull/15/
commits/51c4173489477692527748f46d35b568df686868
Slight typo there. Line 447 is missing $ at the start. Line 457 at
https://github.com/horde/imp/pull/15/files
Thanks.
Jens
begin:vcard
fn:Patrick Boutilier
n:Boutilier;Patrick
org:;Nova Scotia Department of Education and Early Childhood Development
adr:;;2021 Brunswick Street;Halifax;NS;B3K 2Y5;Canada
email;internet:bouti...@ednet.ns.ca
title:WAN Communications Specialist
tel;work:902-424-6800
tel;fax:902-424-0874
x-mozilla-html:FALSE
version:2.1
end:vcard
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
