Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote images unintentionally displayed upon viewing HTML parts #4013

Closed
rcubetrac opened this issue Nov 20, 2012 · 5 comments
Closed

Remote images unintentionally displayed upon viewing HTML parts #4013

rcubetrac opened this issue Nov 20, 2012 · 5 comments
Labels
bug C: Core functionality
Milestone
0.9-rc

Comments

@rcubetrac
Copy link

Reported by myfreexp on 20 Nov 2012 22:11 UTC as Trac ticket #1488827

If option "Display HTML" is enabled, remote images are not being displayed by default. Instead a warning "To protect your privacy, remote images are blocked in this message." is shown, and a link "Display images" is being offered. That's good.

If option "Display HTML" is disabled, then the text part is shown and a link "HTML message" is being offered below the header section of the message. When clicking on that link, the HTML message is loaded in a separate window, BUT: Remote images are then also fully loaded by default without any warning and without any chance to avoid it. That's not as good...

Clicking on the "Display HTML" link should load the message in the same way as if the option "Display HTML" would have been enabled (i.e. without any remote images).

Test message attached.

Keywords: Remote images displayed
Migrated-From: http://trac.roundcube.net/ticket/1488827
@rcubetrac
Copy link
Author

Comment by myfreexp on 20 Nov 2012 22:25 UTC

Sorry, attachment of test message has not been successful as per the following response:

Submission rejected as potential spam (Maximum number of external links per post exceeded, Content contained these blacklisted patterns: 'M_E_S_S_A_G_E')

Grmpf. Really funny to blacklist the term 'M_E_S_S_A_G_E" in a message...

(The underscores are just to avoid that this comment won't be rejected for the third time now, of course it should read without the underscores...)

@rcubetrac
Copy link
Author

Comment by myfreexp on 20 Nov 2012 22:32 UTC

Replying to myfreexp:

Clicking on the "Display HTML" link should load the message in the same way as if the option "Display HTML" would have been enabled (i.e. without any remote images).

That should of course read:

Clicking on the "HTML message" link should load the message in the same way as if the option "Display HTML" would have been enabled (i.e. without any remote images).

@rcubetrac
Copy link
Author

Comment by @alecpl on 21 Nov 2012 08:11 UTC

It looks that this is by design. See app.js line 822:

    if (props.mimetype == 'text/html')
      qstring += '&_safe=1';

It makes that every text/html attachment is considered safe. So, the fix should remove these lines, but we'll need also to display warning and "Display images" button in the part preview page.

@rcubetrac
Copy link
Author

Comment by @thomascube on 19 Jan 2013 16:04 UTC

Fixed in commit 1ef4033.

@rcubetrac
Copy link
Author

Status changed by @thomascube on 19 Jan 2013 16:04 UTC

new => closed

@rcubetrac rcubetrac added this to the 0.9-rc milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Core functionality
Projects
None yet
Milestone
0.9-rc
Development

No branches or pull requests
1 participant
@rcubetrac