Closed Bug 857914 Opened 12 years ago Closed 7 years ago

[email] Have HTML sanitizer support body "background" attribute, CSS "background", "background-image", "border-image*", "list-style", "list-style-image", and other URI-bearing style declarations

Categories

(Firefox OS Graveyard :: Gaia::E-Mail, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::E-Mail
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: asuth, Unassigned)

Details

Previously, we did not whitelist HTML attributes and CSS style declarations that could reference external URIs because this could result in information leakage and the parsing was non-trivial for our preliminary implementation. When the worker thread bug lands, we will now be using a real CSS parser which makes it easier for us to detect the external URI cases and sanitize just them, ideally so that we can use our "show external images" UI and then fix-up the message to restore those styles. But even just letting through hex colors would be a major improvement.
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.