Breaking MIME concatenation
Lukas Pitschl | GPGTools
lukele at gpgtools.org
Tue May 15 17:53:39 CEST 2018
> Am 15.05.2018 um 17:44 schrieb Patrick Brunschwig <patrick at enigmail.net>:
> I already tried a while ago to trick the Thunderbird HTML rendering
> engine with tricks like this... They don't work. The rendering engine
> ignores the </html> tag (and also tags like </body>).
> I think the correct solution must be to treat each MIME part
> independently, i.e. it needs to be parsed independently by the HTML
> engine and produce its own DOM tree. At the end, you can concatenate
> these DOM trees and create a single correct HTML document.
I have also already tried to implement a similar fix for Apple Mail a few days ago,
using <!--" <!-- --> which did work, but is probably a too naive attempt
to mitigate against these XSS-kind of attacks.
So I absolutely concur with Patricks statement, that the Mime Parsers have
to be adjusted to treat every text/html part as single DOM tree or even use different
web document instances to represent the message.
More information about the Gnupg-users