linagora / tmail-flutter

A multi-platform (Flutter) application for reading your emails, with your favorite devices, using the JMAP protocol!

GNU Affero General Public License v3.0

327 stars 75 forks source link

TF-3243 Fix email without content #3245

Closed dab246 closed 3 weeks ago

dab246 commented 3 weeks ago

Issue

3243

Root cause

Because the function Uri.decodeFull(inputText) throws an exception FormatException: Invalid UTF-8 byte (at offset 11) during handle 3D Links in DOM.
This error only occurs on the web

Solution

Add try/catch blocks to all email transformer DOM handler functions

Resolved

Web:

https://github.com/user-attachments/assets/de975aff-0f1d-454e-b41a-af26412e8aa8

Mobile:

demo-mobile.webm

github-actions[bot] commented 3 weeks ago

This PR has been deployed to https://linagora.github.io/tmail-flutter/3245.

chibenwa commented 3 weeks ago

Add try/catch blocks to all email transformer and sanitize handler functions

Does this means that if I send a broken base64 link then HTML sanitizing is bypassed and thus I could pass an XSS payload after the broken base64 link?

dab246 commented 3 weeks ago

Add try/catch blocks to all email transformer and sanitize handler functions

Does this means that if I send a broken base64 link then HTML sanitizing is bypassed and thus I could pass an XSS payload after the broken base64 link?

No. We do HTML sanitization before DOM processing. This error does not try/catch function Uri.decodeFull(inputText) when processing 3D links during DOM processing. So we always block XSS from the start.

hoangdat commented 3 weeks ago

please rebase @dab246

dab246 commented 3 weeks ago

please rebase @dab246

Done. @hoangdat