Don't render form elements in emails

NEW
Unassigned

Status

MailNews Core
Backend
6 years ago
4 years ago

People

(Reporter: standard8, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Our form handling is currently broken (bug 533545), however, per discussions in the security group we shouldn't really be displaying/handling forms at all:

http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/72f921bb9c5debfa

The short summary is that if we attempt to handle forms we put the user at even greater risk of phishing, but also there are additional security concerns with being able to handle the form correctly. There's also the likelihood that we wouldn't be able to handle all types of form correctly.

Therefore per that discussion, I think we should just blacklist displaying form elements in all email views (I believe the simple html view already has form elements disabled).
Yes, the Thunderbird sanitizer strips forms, but the sanitizer is only used for simple HTML view or messages flagged junk (if so configured).  If the sanitizer ends up being always used for the normal case, it will be important to not pass nsIParserUtils::SanitizerDropNonCSSPresentation since that strips <font> tags which is how Thunderbird itself encodes most presentation.  (The preference for stripping that presentation is enabled by default.)

It's conceivable there could be some regressions from introducing the sanitizer where it previously has not been used.

NB: B2G e-mail is sanitizing forms out of existence for similar phishing reasons.
Blocks: 533545
You need to log in before you can comment on or make changes to this bug.