Closed Bug 309012 Opened 19 years ago Closed 19 years ago

STYLE section data appears in message body with Simple HTML

Categories

(Core :: DOM: Serializers, defect, P2)

Product:
Core
Component:
DOM: Serializers
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: bugzilla, Assigned: mrbkap)

References

Details

(Keywords: regression)

Attachments

(1 file, 2 obsolete files)

take 3
5.68 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050917 SeaMonkey/1.1a
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050917 SeaMonkey/1.1a

When HTML e-mails has a STYLE section in the header, the style contents are
displayed in the message body with View->Message Body as->Simple HTML.

The last working build was 2005-09-09-07.  

Reproducible: Always

Steps to Reproduce:
1. In Mail/News, choose View->Message Body as->Simple HTML
2. Find (or send to yourself) an HTML email with STYLE data


Actual Results:  
The STYLE contents are displayed at the top of the message body.

Expected Results:  
The STYLE content should not have been displayed.
Blocks: 272702
I'm taking and confirming this based on code inspection. I'll look at this on
Monday (and add a test for this in the outsink tests).
Assignee: mail → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: MailNews: Main Mail Window → DOM to Text Conversion
Product: Mozilla Application Suite → Core
Version: unspecified → Trunk
Status: NEW → ASSIGNED
I can't actually test this, but it should fix this bug. Basically, the idea is
that if we're not allowing a tag and it appears in the special list of tags,
then we'll ignore all of the contents as well.

Ben, what do you think?
Attachment #196679 - Flags: review?(ben.bucksch)
+  else if (strchr(gIgnoreContents, aTag))
+    ++mSkipLevel;

Yuck. aTag is an integer, see below. Then you can get rid of the array, too.

I would not skip textarea contents.

+  if (mSkipLevel == 0 && IsAllowedTag(type))

Do

if (type == eHTMLTag_script || type == eHTMLTag_style)
  mSkipLevel++;
else if (IsAllowedTag(type))
  ...
else if (mSkipLevel > 0)
  Write(NS_LITERAL_STRING(" "));

instead.

And please test before the next patch!
nonsense, I meant:

if (type == eHTMLTag_script || type == eHTMLTag_style)
  mSkipLevel++;
else if (mSkipLevel > 0)
  Write(NS_LITERAL_STRING(" "));
else if (IsAllowedTag(type))
  ...
Attached patch take 2 (obsolete) — Splinter Review 
This still needs testing, so I'll hold off on asking for reviews until it gets
tested.
Attachment #196679 - Attachment is obsolete: true
Attachment #196679 - Flags: review?(ben.bucksch) → review-
Comment on attachment 196684 [details] [diff] [review]
take 2

mcsmurf has confirmed that this patch works for him.

I've deliberately kept the ordering the way I had it before so that if someone
ever decides to allow <script> or <style> tags, they can simply enable them in
the pref and not hack the serializer.
Attachment #196684 - Flags: review?(ben.bucksch)
Your logic is wrong. If you have a <form> (disallowed tag) in a <script>, your
skiplevel will get messed up.

Please test *yourself*, *carefully*, including edge cases.
Attached patch take 3Splinter Review 
As things stand, it seems that it's impossible to ever give the sanitizing
serializer such a broken DOM. The only entry point that I know is the "Simple
HTML" option for viewing message bodies, which always goes through CNavDTD ->
mozSanitizingSerializer, and if there are _any_ containers inside <style> or
<script>, there's a bug that needs to be fixed there (in the DTD).

That said, I believe this should fix all of the remaining logic problems.
Attachment #196684 - Attachment is obsolete: true
Attachment #196713 - Flags: review?(ben.bucksch)
Attachment #196684 - Flags: review?(ben.bucksch) → review-
If at any point a script has access to the DOM in question, then you can end up
with child nodes of <style>, etc.
Keywords: regression
Blake, are you working on this? Personally I think this problem is something that should be fixed before any release.
Keywords: mail4
I'm simply waiting for review on my patch. This is a trunk-only regression (bug 272702 never touched the branch). I'm sorry it took so long for this fix to go in. If Ben can't review the latest patch, I'll try seeking a new reviewer.
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha
(In reply to comment #9)
> If at any point a script has access to the DOM in question, then you can end up
> with child nodes of <style>, etc.

Except, in those cases, we use the fragment content sink. This bug only affects the sanitizing content sink, which is (again!) only instantiated with a CNavDTD DTD. At any rate, the last patch should technically handle all sorts of invalid cases anyway.
D'oh, sorry. I somehow missed the r? flag..
Attachment #196713 - Flags: review?(jst)
Comment on attachment 196713 [details] [diff] [review]
take 3

r+sr=jst, looks good.
Attachment #196713 - Flags: superreview+
Attachment #196713 - Flags: review?(jst)
Attachment #196713 - Flags: review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attachment #196713 - Flags: review?(ben.bucksch)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: