Breaking MIME concatenation

Andrew Gallagher andrewg at
Tue May 15 18:37:26 CEST 2018

On 15/05/18 16:44, Patrick Brunschwig wrote:
> I already tried a while ago to trick the Thunderbird HTML rendering
> engine with tricks like this... They don't work. The rendering engine
> ignores the </html> tag (and also tags like </body>).

OK, that particular trick won't work. But if content injection is
possible, then counter-injection should also be possible. How about:

<!-- "><script type="text/javascript">
document.documentElement='';</script> -->

We don't need to worry about what comes after the injected tag close
unless DOM scripting is enabled, and if it is enabled, we can abuse it
just as easily as the bad guys can. :-)

> I think the correct solution must be to treat each MIME part
> independently, i.e. it needs to be parsed independently by the HTML
> engine and produce its own DOM tree. At the end, you can concatenate
> these DOM trees and create a single correct HTML document.

Of course that would be the most correct solution. I was trying to see
if I could think up the quickest solution. ;-)

Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list