From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9716281D90 for ; Fri, 26 Nov 2021 10:07:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 84A6F16176 for ; Fri, 26 Nov 2021 10:07:16 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5D6C416167 for ; Fri, 26 Nov 2021 10:07:15 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 260DE44361 for ; Fri, 26 Nov 2021 10:07:09 +0100 (CET) Message-ID: Date: Fri, 26 Nov 2021 10:07:08 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Thunderbird/95.0 Content-Language: en-US To: Dominik Csapak , pmg-devel@lists.proxmox.com References: <20211125141441.1383250-1-d.csapak@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20211125141441.1383250-1-d.csapak@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.089 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [htmlmail.pm] Subject: [pmg-devel] applied: [PATCH pmg-api v2] fix #3734: scrub 'url' from style tags/attributes X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2021 09:07:46 -0000 On 25.11.21 15:14, Dominik Csapak wrote: > if 'view images' for the quarantine is disabled, it is expected that > *no* images will be loaded. but in addition to img (src/href/etc.) > also css can load external images via the 'url' directive > > since html scrubber does not parse/iterate over css, we simply remove > the url+protocol part of those tags/attributes. this technically leaves behind > invalid css, but the browsers should cope with that. > (we cannot 'cleanly' remove without much more effort because of quoting) > > also we have to scrub the style tags in 'dump_html' since HTML::Scrubber > does not have a way to modify the *content* of a tag, only the > attributes... > > Signed-off-by: Dominik Csapak > --- > changes from v1: > * replace url with ___ and protocol:// with _ instead of removing > * move sub out and use the reference > * always pass $cid_hash and only use it in the function when > $view_images is set > * improve comment to show what 'dump_html' does > > @thomas: a note to our off-list discussion regarding url-encoding the > protocol: you *could* do it, but the browser does not recognize it as > a protocol and interprets it as a relative url, so we're safe on > this regard > > src/PMG/HTMLMail.pm | 31 +++++++++++++++++++++++++++---- > 1 file changed, 27 insertions(+), 4 deletions(-) > > ok, so I went down the wrong road due to the code-ref passing, ref(\foo) being SCALAR vs \&foo being CODE tripped up the scrubber. So after a pair debugging/understanding session with Dominik (thx!) I now: * appreciate our perl code way more, as Scrubber shows that one can do it way more cryptic and harder to grasp * got that the style stuff now works pretty great, I only fixed the undef value variant for the url remover and passing the code-ref applied, thanks!