Open Bug 1784056 Opened 3 years ago Updated 3 years ago

HTML markup is not escaped in desktop notifications

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: manikulin, Unassigned)

Details

(Keywords: dupeme)

Steps to reproduce:

Accidentally I noticed that thunderbird does not escape HTML markup when it generates text for desktop notifications.

I use KDE, but likely it may be an issue for other desktops as well, since it is a part of specification https://specifications.freedesktop.org/notification-spec/latest/ar01s04.html

  • Check that notification popups are enabled for Thunderbird application.
  • Send a message with some markup in subject, e.g. Start <i>using</i> <a href="https://outlook.com">thunderbird</a> <b>NOW!!!</b>
  • Wait for popup notification when the message is received.

Actual results:

Some tags are interpreted changing font, links (possibly misleading) may appear in notification.

Expected results:

Subject (unsure if it is possible to inject something confusing through sender or date) is shown literally.

When notification text is generated, &<> characters in the strings taken from messages are escaped to prevent their interpretation as markup. It should be a measure to protect users against unfair sender.

KDE bug IIRC.

Keywords: dupeme

(In reply to Magnus Melin [:mkmelin] from comment #1)

KDE bug IIRC.

I do not think so. KDE follows freedesktop spec for notifications. It allows other applications to present text with some formatting features. So it is Thunderbird responsibility to add protection against text from untrusted sources.

You need to log in before you can comment on or make changes to this bug.