Print engine allows JavaScript execution



15 years ago
11 years ago


(Reporter: arve.bersvendsen, Assigned: whimboo)


({fixed1.8.0.14, verified1.8.1.8})

Bug Flags:
blocking1.8.1.8 +
blocking1.8.0.14 +

Firefox Tracking Flags

(Not tracked)



(2 attachments)



15 years ago
User-Agent:       Opera/7.60 (Windows NT 5.1; U; en)
Build Identifier: 

When you attempt printing an HTML e-mail that contains JavaScript, JavaScript is 
executed immediatly when print preview is called.

Reproducible: Always

Steps to Reproduce:
1. Compose e-mail using text/html, containing JavaScript:
<script type="text/javascript">
  alert("Javascript alert");
Attachment decoded: untitled-1.htm
2. Receive mail in Thunderbird
3. Print the mail, or invoke the print preview

Actual Results:  
A JavaScript alert, saying "JavaScript alert" is displayed

Expected Results:  
The browser should have ignored the JavaScript

Comment 1

15 years ago

Comment 2

15 years ago
Confirmed, TB 1.0 winXP
Component: General → Mail Window Front End
Ever confirmed: true

Comment 3

14 years ago
Confirmed, Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051003
SeaMonkey/1.1a, but only if View -> Message Body As -> Original HTML is set. Not
Windows- and Thunderbird-only. Suggest changing "OS: Windows XP" to "OS: All".

Comment 4

13 years ago
Does the bug allow now system or user account compomise in connection with at least for Thunderbird 1.0.7 and 1.5?
QA Contact: front-end
WFM with latest versions of Thunderbird from 1.8.0 and 1.8.1 branches.

Is this still an issue for SeaMonkey? 
Assignee: mscott → nobody
Component: Mail Window Front End → MailNews: Printing
OS: Windows XP → All
Product: Thunderbird → Core
QA Contact: front-end → printing

Comment 6

12 years ago
If I turn on JavaScript for MailNews, which defaults to off, then the alert is displayed in SeaMonkey trunk. When having JS off (default), it's not displayed. It also isn't displayed when viewing HTML messages as plain text, even not if it's an inline-displayed HTML attachment.

I'm not sure this is a bug, it sounds like expected behavior to me.

Comment 7

12 years ago
Argh, ok, I completely misread this, blame last night.

Yes, print preview shows the alert in SeaMonkey trunk even with JS disabled for MailNews. This looks really wrong.
Strange. I can only see this for my trunk debug build of Thunderbird under Linux. I cannot see this for Thunderbird under Windows and Mac OS X. Even my debug trunk build under Mac OS X doesn't pop-up the javascript alert. I can't say anything for 1.8.0 or 1.8 branch builds under Linux.

Anyone who could test the branch releases under Linux?

This could be a security issue. Dunno why this bug was unattended for such a long  period.
Flags: blocking-thunderbird3?
Keywords: qawanted
Version: unspecified → Trunk

Comment 9

12 years ago
My SeaMonkey build from 1.8 branch also shows the bug (all my testing is Linux).

Comment 10

12 years ago
(In reply to comment #5)
> WFM with latest versions of Thunderbird from 1.8.0 and 1.8.1 branches.

Can still easily reproduce the bug with Thunderbird (Windows/20070706) with default JS settings, if the "original HTML" view for message body is active. When javascript.enabled is set to 'false' (default: 'true'), the alert isn't displayed, though.
Ok, I've done more tests. I can reproduce this security issue with and und Linux. Both branches are affected and execute javascript.

Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?

Comment 12

12 years ago
this might be as easy as making sure we set the mail app type (APP_TYPE_MAIL) on the root docshell for the print engine in nsMsgPrintEngine.cpp

Flags: blocking1.8.1.6?
Flags: blocking1.8.1.5?
Flags: blocking-thunderbird2?
Assignee: nobody → hskupin
Keywords: qawanted
Hardware: PC → All
I hope that's the right way. It's the first time that I made a C++ patch. After compiling I cannot see the javascript alert anymore.
Attachment #271740 - Flags: superreview?(mscott)
Attachment #271740 - Flags: review?(mnyromyr)

Comment 14

12 years ago
Comment on attachment 271740 [details] [diff] [review]
Patch v1: Set correct APP_TYPE

This patch fixes it for me too. One thing to watch out for, I think this might start pushing print preview through the mail content policy manager. There might be issues with remote images and if you've allowed remote images for a message and then try to print preview, do those images load or are they blocked? Could be worth poking around at.
Attachment #271740 - Flags: superreview?(mscott) → superreview+
Scott, I cannot see any issue with remote images. I created a HTML message and saved it as draft. Opening the draft shows me an empty rectangle with the broken image sign. Opening the print preview the image isn't shown. Ok, that's like expected. After that I loaded the image for this message. It's visible inside the body. Opening once again the print preview shows me the image. No blocking of allowed remote images happens.
Comment on attachment 271740 [details] [diff] [review]
Patch v1: Set correct APP_TYPE

Yeah, looks good.
I did some testing with global and message specific remote content blocking and found that these settings are indeed honored by print preview now! (As are those for View HTML As...)
Attachment #271740 - Flags: review?(mnyromyr) → review+
Keywords: checkin-needed

Comment 17

12 years ago
cool! I think this patch is ready for the trunk. I'll land it for Henrik. Thanks Henrik!
Last Resolved: 12 years ago
Resolution: --- → FIXED
Flags: blocking-thunderbird3?
Flags: blocking-thunderbird2?
Keywords: checkin-needed
Verified with version 3.0a1pre (2007071403).
Comment on attachment 271740 [details] [diff] [review]
Patch v1: Set correct APP_TYPE

This patch will stop Javascript execution for printing and print preview. Perhaps a security related issue?
Attachment #271740 - Flags: approval1.8.1.6?
Flags: blocking1.8.1.7?
Flags: blocking1.8.1.7+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Comment on attachment 271740 [details] [diff] [review]
Patch v1: Set correct APP_TYPE

Asking approval accordingly to blocking flags.
Attachment #271740 - Flags: approval1.8.0.14?
Comment on attachment 271740 [details] [diff] [review]
Patch v1: Set correct APP_TYPE

approved for, a=dveditz for release-drivers
Attachment #271740 - Flags: approval1.8.1.7?
Attachment #271740 - Flags: approval1.8.1.7+
Attachment #271740 - Flags: approval1.8.0.14?
Attachment #271740 - Flags: approval1.8.0.14+
Keywords: checkin-needed
Comment on attachment 271740 [details] [diff] [review]
Patch v1: Set correct APP_TYPE

Landed on MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH.
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20070828 Thunderbird/ Mnenhy/ ID:2007082804 - no javascript execution/warning on testcase

Adding verified keyword
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.