OWASP sanitizer is fragged

Post feedback about our hosted demo or your local install. Tell us what you love and/or what you’d like to see added in the future.
Post Reply
tlgerdes
Posts: 42
Joined: Mon Nov 21, 2022 4:02 am

OWASP sanitizer is fragged

Post by tlgerdes »

Yet another to hit the Zimbra OWASP sanitizer html webclient display issue.

Migrated from Centos 6 to Rocky 8 and upgrade from 9.0.0 p19 to p26 and suddenly HTML emails wont render in webclient. Disable OWASP check "zmlocalconfig -e zimbra_use_owasp_html_sanitizer=false" and all is displayed again.

What do we have to do to get this fixed and working properly? Is the some sort of setting that we can tweek?
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: OWASP sanitizer is fragged

Post by ghen »

This was a regression in P26. Check P27 and P28 release notes.
tlgerdes
Posts: 42
Joined: Mon Nov 21, 2022 4:02 am

Re: OWASP sanitizer is fragged

Post by tlgerdes »

Sorry, i mistyped, i am on P28 not p26

$ zmcontrol -v
Release 9.0.0_GA_4325.RHEL8_64_20220629074359 RHEL8_64 NETWORK edition, Patch 9.0.0_P28.

I applied the config

$ zmlocalconfig -e zimbra_strict_unclosed_comment_tag=false
$ zmlocalconfig -e zimbra_use_owasp_html_sanitizer=true
$ zmmailboxdctl restart

And it doesnt fix the problem.
Screenshot 2022-11-28 104115.jpg
Screenshot 2022-11-28 104115.jpg (37.31 KiB) Viewed 3109 times
Had to revert to sanitizer=false

The email should look like this
Screenshot 2022-11-28 104459.jpg
Screenshot 2022-11-28 104459.jpg (119.91 KiB) Viewed 3104 times
tlgerdes
Posts: 42
Joined: Mon Nov 21, 2022 4:02 am

Re: OWASP sanitizer is fragged

Post by tlgerdes »

ALL HTML emails do not display.

Text emails are seen correctly.
saket.patel
Zimbra Employee
Zimbra Employee
Posts: 137
Joined: Mon Apr 11, 2022 8:39 pm

Re: OWASP sanitizer is fragged

Post by saket.patel »

Please open a support case with affected email, so we can analyse and provide solution for the problem.
Post Reply