229122 - Escapes && and > Operators when Sending Javascript in Mail

Status: RESOLVED DUPLICATE of bug 964024

(MailNews Core :: Composition, defect)

Description

[Gus Richter]

User-Agent:       Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.5) Gecko/20031007
Build Identifier: Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.5) Gecko/20031007

SENDING Mail with Mozilla-Mail/Thunderbird containg Javascript, causes the &&
and > Operators to be converted to their escaped form of && and >.
When such mail is received, the Javascript is then inoperable.

RECEIVING such Mail with Mozilla-Mail/Thunderbird sent with another client such
as NC 4.x works O.K. The problem in Thunderbird is only in Sending Mail.

See Bug# 228787 reported under Thunderbird.

<script language="javascript">
// sending
if(i>1)
// and
(x==0&&y==restHeight)
// results in receiving
// if(i&gt;1)
// and
// (x==0&amp;&amp;y==restHeight)
</script>

** See Bug# 228787 Thunderbird where it's reported that under unknown conditions
the Operators are NOT escaped.


Reproducible: Always

Steps to Reproduce:
1. Include the sample script in Mail and send.
2. Open the Mail, look at source, and the Operators are escaped.


Actual Results:  
Results as previously mentioned.


Expected Results:  
Mozilla Mail/News should not escape the Operators before/during Send.

Comment 1

[Oliver Klee]

This isn't a blocker. Changing to Normal severity.

Comment 2

[Scott MacGregor]

*** Bug 228787 has been marked as a duplicate of this bug. ***

Comment 3

[Gus Richter]

Changed to ALL OS's.

Gus

Comment 4

[Gus Richter]

Changed Component from Mail Back-End to Composition.

Comment 5

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 6

[Gus Richter]

(In reply to comment #5)
Tested for this bug on the latest Thunderbird version 1.5 Beta 1 (20050908) and
find the problem to be still there.

The procedure is to include the script as submitted into mail and the  >  and 
&&  operators will be escaped to  >  and  &&  respectively.

Gus Richter

Comment 7

[Joe Sabash [:JoeS1]]

The original posters comments are perfectly clear and reproduceable.

With the new auto-resolve policy, and given this bug has been ignored for an
inordinate length of time IMO I have enter a specific test case and additional
comments.
The following testing was done with Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9a1) Gecko/20050930 Thunderbird/1.6a1 ID:2005093008

Steps to reproduce:
  1. Copy the contents of the attachment sniffamp.txt into an html composition
using |Insert | html or key enter the code via the |Insert | html window.
(the bug is not a product of copy/paste]
  2. Save the composition as unsent, or send it to yourself
  3. Observe that the and/if javascript operator has been corrupted escaping the
amps to render the script inoperable.

Results in the received message javascript console:
Error: syntax error
Source File: mailbox:///C|/(some message url)

Source Code:
var geck = document.getElementById&&!document.all ? 1 : 0;

The escaping occurs during the send/save process.

The same result with the "greater than" operator.
The exact core component that converts the composed html is unknown to me.
Any help in identifying would be appreciated.

Javascript is fully supported in received Mail/News.
Why should it be ignored in Composition/Send

Comment 8

[Joe Sabash [:JoeS1]]

Attachment: text of the inserted script

Comment 9

[Gus Richter]

3 year old bug with 1 1/2 year of inactivity.
Hoping to put this on someone's radar.

Comment 10

[(not reading, please use seth@sspitzer.org instead)]

sorry for the spam.  making bugzilla reflect reality as I'm not working on these bugs.  filter on FOOBARCHEESE to remove these in bulk.

Comment 11

[Serge Gautherie (:sgautherie)]

Filter on "Nobody_NScomTLD_20080620"

Comment 12

[Ronald Killmer]

Recommend the closing of this bug as wontfix.  Reason is TB had embedded JS script access to spidermonkey killed when FF made a core CAPS change while TB3/3.1 was in pre-release with no resources available to adapt.

Comment 13

[Joe Sabash [:JoeS1]]

Actually Ron, this has been fixed on trunk just a day ago.
Scripts are no longer corrupted, but it's still difficult to get JS to run.
I don't think that will ever be re-visited, but you can get scripts to run with up to TB 27, and an older version of the 'Total Message' extension. The capability to run JS in that extension was dropped on more recent versions.
Good to see you posting (my bugzilla email addy is good, drop me a line sometime, and we call talk about the 'good old days'

Comment 15

[Hannes Verschore [:h4writer]]

I think you marked the wrong bug as duplicate.

Comment 16

[Hannes Verschore [:h4writer]]

Oh sorry. It seems it was already updated to the right bug. Sorry for the spam.