Ticket #1485137 (closed Patches: fixed)

Opened 7 months ago

Last modified 6 months ago

WasHtml Strips FORM Elements

Reported by: brian Owned by:
Priority: 5 Milestone: 0.2-beta
Component: Client Scripts Version: 0.2-alpha
Severity: normal Keywords:
Cc:

Description

The update to the washtml library disabled the display of forms in emails. Most of the attributes are not allowed, so I would not expect it to have any security risk by enabling it. You cannot submit the forms or execute any JS actions.

I have received emails where the contents were wrapped in a <form> set of tags.

In the folder: /program/lib/ In the file: washtml.php In line: 77 Change the $html_elements to include 'form' as an allowed element.

Updated line: 

  static $html_elements = array('a', 'abbr', 'acronym', 'address', 'area', 'b', 'basefont', 'bdo', 'big', 'blockquote', 'body', 'br', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'fieldset', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'label', 'legend', 'li', 'map', 'menu', 'ol', 'p', 'pre', 'q', 's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'title', 'tr', 'tt', 'u', 'ul', 'var', 'img', 'form');

Change History

Changed 7 months ago by alec

  • milestone changed from later to 0.2-beta

Changed 6 months ago by alec

  • status changed from new to closed
  • resolution set to fixed

Fixed in r1607.

Changed 6 months ago by thomasb

No, no! Forms should not be allowed.

In r16073 I've added a callback function (rcmail_washtml_callback) which turns form elements into <div class="form">. This way we allow the content of form tags to be displayed but without the danger of having forms within our html page.

Reverted in r1608

Note: See TracTickets for help on using tickets.