Blank mail body after updating from 8.8.15 p29 to p30
Blank mail body after updating from 8.8.15 p29 to p30
Hi everyone,
yesterday we upgraded a medium-sized Zimbra 8.8.15 installation from patch 29 to the latest available (8.8.15.1643980846.p30-1).
This morning we got several complaints about mails that were correctly rendered before the updated, but are now displayed with a blank body.
I already saw some topics (dating from several months ago) about similar issues, and pointing to owasp; issue is that the content was correctly displayed with patch 29.
From the evidence I got, issue seems that owasp throws an exception when there's an html comment opening inside the body of the mail. Every time someone tries to display one of such mails, an entry similar to the following is logged in mailbox.log:
2022-03-17 15:44:44,010 WARN [qtp1684792003-70964:https://my.domain.com/service/soap/GetMsgRequest] [name=username@domain.com;mid=285;oip=::ffff:11.22.33.44;ua=ZimbraWebClient - FF98 (Linux)/8.8.15_GA_4232;soapId=18d00465;] soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : <!--
And yes, the body of the mail indeed contains at least one html comment opening ("<!--"), indeed.
Anyone has seen such an issue, expecially after a recent update? Or maybe found any workaround (beside disabling the html sanitization)?
Thanks in advance.
Kind regards,
Gabriele
yesterday we upgraded a medium-sized Zimbra 8.8.15 installation from patch 29 to the latest available (8.8.15.1643980846.p30-1).
This morning we got several complaints about mails that were correctly rendered before the updated, but are now displayed with a blank body.
I already saw some topics (dating from several months ago) about similar issues, and pointing to owasp; issue is that the content was correctly displayed with patch 29.
From the evidence I got, issue seems that owasp throws an exception when there's an html comment opening inside the body of the mail. Every time someone tries to display one of such mails, an entry similar to the following is logged in mailbox.log:
2022-03-17 15:44:44,010 WARN [qtp1684792003-70964:https://my.domain.com/service/soap/GetMsgRequest] [name=username@domain.com;mid=285;oip=::ffff:11.22.33.44;ua=ZimbraWebClient - FF98 (Linux)/8.8.15_GA_4232;soapId=18d00465;] soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : <!--
And yes, the body of the mail indeed contains at least one html comment opening ("<!--"), indeed.
Anyone has seen such an issue, expecially after a recent update? Or maybe found any workaround (beside disabling the html sanitization)?
Thanks in advance.
Kind regards,
Gabriele
Re: Blank mail body after updating from 8.8.15 p29 to p30
Hi,
We have the same issue after that update.
What i found was that it looks like it is caused by the following code from the source of the emails:
When i remove that part from the e-mail and open it again the e-mail shows up as normal, but no real solution yet for it because these e-mails are sent by a 3rd party.
Kind regards,
M_vdM
We have the same issue after that update.
What i found was that it looks like it is caused by the following code from the source of the emails:
Code: Select all
@media only screen and (max-width: 550px), screen and (max-device-width: =
550px) {
body[yahoo] .hide {display: none!important;}
body[yahoo] .buttonwrapper {background-color: transparent!important;}
body[yahoo] .button {padding: 0px!important;}
body[yahoo] .button a {background-color: #e05443; padding: 15px 15px 13px=
!important;}
body[yahoo] .unsubscribe {display: block; margin-top: 20px; padding: 10px=
50px; background: #2f3942; border-radius: 5px; text-decoration: none!impor=
tant; font-weight: bold;}
}
/*@media only screen and (min-device-width: 601px) {
.content {width: 600px !important;}
.col425 {width: 425px!important;}
.col380 {width: 380px!important;}
}*/
Kind regards,
M_vdM
-
- Outstanding Member
- Posts: 265
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Blank mail body after updating from 8.8.15 p29 to p30
Can you share an e-mail message with this problem?
Re: Blank mail body after updating from 8.8.15 p29 to p30
I can only share the part in my previous post. The rest of the e-mail contains company information, and after censoring it there will probably not much left of the original e-mail anymore.
Kind regards,
M_vdM
Kind regards,
M_vdM
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Blank mail body after updating from 8.8.15 p29 to p30
We are experiencing this as well and have opened a Support Case with Zimbra to get this addressed. We are on Patch 30 FWIW.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Blank mail body after updating from 8.8.15 p29 to p30
Hi,
Similar issue.
I am on 8.8.15 p31.
Here is the error:
soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : -->
I don't know when it began.
Do you have a workaround ?
Similar issue.
I am on 8.8.15 p31.
Here is the error:
soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : -->
I don't know when it began.
Do you have a workaround ?
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Blank mail body after updating from 8.8.15 p29 to p30
There is no workaround yet.Inglebard wrote:Hi,
Similar issue.
I am on 8.8.15 p31.
Here is the error:
soap - Exception during HTML sanitization: java.lang.AssertionError: Invalid CDATA text content : -->
I don't know when it began.
Do you have a workaround ?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Blank mail body after updating from 8.8.15 p29 to p30
Someone try to disable owasp ?
Code: Select all
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE
zmmailboxdctl restart
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Blank mail body after updating from 8.8.15 p29 to p30
In response to the case I opened, Zimbra Support have opened a bug to address this issue: ZBUG-2744.
If you are a Network Edition customer for whom addressing this bug is a priority (e.g. impacts a large number of users and/or renders important emails like payroll deposit notifications unreadable), you can open your own Support Case to ask that this bug be addressed as a priority.
When you open the case, I'd suggest including log file snippets showing the error, and also include the ASCII versions of the bodies of the impacted emails, to empower the developers to update the OWASP sanitizer to include as many of these situations as practicable.
Hope that helps,
Mark
If you are a Network Edition customer for whom addressing this bug is a priority (e.g. impacts a large number of users and/or renders important emails like payroll deposit notifications unreadable), you can open your own Support Case to ask that this bug be addressed as a priority.
When you open the case, I'd suggest including log file snippets showing the error, and also include the ASCII versions of the bodies of the impacted emails, to empower the developers to update the OWASP sanitizer to include as many of these situations as practicable.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Blank mail body after updating from 8.8.15 p29 to p30
Turning this off means losing this otherwise excellent defense against cross site scripting attacks.Inglebard wrote:Someone try to disable owasp ?
Code: Select all
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=FALSE zmmailboxdctl restart
At least in the cases our users reported, the emails render OK on their mobile devices, so there is already a kind of workaround.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate