782580 - Don't render form elements in emails

Status: RESOLVED WORKSFORME

(MailNews Core :: Backend, defect)

Description

[Mark Banner (:standard8)]

Our form handling is currently broken (bug 533545), however, per discussions in the security group we shouldn't really be displaying/handling forms at all:

http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/72f921bb9c5debfa

The short summary is that if we attempt to handle forms we put the user at even greater risk of phishing, but also there are additional security concerns with being able to handle the form correctly. There's also the likelihood that we wouldn't be able to handle all types of form correctly.

Therefore per that discussion, I think we should just blacklist displaying form elements in all email views (I believe the simple html view already has form elements disabled).

Comment 1

[Andrew Sutherland [:asuth] (he/him)]

Yes, the Thunderbird sanitizer strips forms, but the sanitizer is only used for simple HTML view or messages flagged junk (if so configured).  If the sanitizer ends up being always used for the normal case, it will be important to not pass nsIParserUtils::SanitizerDropNonCSSPresentation since that strips <font> tags which is how Thunderbird itself encodes most presentation.  (The preference for stripping that presentation is enabled by default.)

It's conceivable there could be some regressions from introducing the sanitizer where it previously has not been used.

NB: B2G e-mail is sanitizing forms out of existence for similar phishing reasons.

Comment 2

[Wayne Mery (:wsmwk)]

Is this a duplicate of a newer bug?

Comment 3

[Magnus Melin [:mkmelin]]

No, but I think there's not much we want to do here. Forms are "handled" now in the way that we don't allow any input but instead open the page in the browser where the user can do what he wants, if anything.

Comment 4

[Wayne Mery (:wsmwk)]

yes, I thought we handled this in the last year.