Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TF-3243 Fix email without content #3245

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dab246
Copy link
Member

@dab246 dab246 commented Oct 29, 2024

Issue

#3243

Root cause

  • Because the function Uri.decodeFull(inputText) throws an exception FormatException: Invalid UTF-8 byte (at offset 11) during handle 3D Links in DOM.
  • This error only occurs on the web

Solution

  • Add try/catch blocks to all email transformer DOM handler functions

Resolved

  • Web:
Screen.Recording.2024-10-29.at.19.29.14.mov
  • Mobile:
demo-mobile.webm

Copy link

This PR has been deployed to https://linagora.github.io/tmail-flutter/3245.

@chibenwa
Copy link
Member

Add try/catch blocks to all email transformer and sanitize handler functions

Does this means that if I send a broken base64 link then HTML sanitizing is bypassed and thus I could pass an XSS payload after the broken base64 link?

@dab246
Copy link
Member Author

dab246 commented Oct 30, 2024

Add try/catch blocks to all email transformer and sanitize handler functions

Does this means that if I send a broken base64 link then HTML sanitizing is bypassed and thus I could pass an XSS payload after the broken base64 link?

No. We do HTML sanitization before DOM processing. This error does not try/catch function Uri.decodeFull(inputText) when processing 3D links during DOM processing. So we always block XSS from the start.

Screenshot 2024-10-30 at 09 23 56

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants