mail body blank on web gui

Post feedback about our hosted demo or your local install. Tell us what you love and/or what you’d like to see added in the future.
ghen
Outstanding Member
Outstanding Member
Posts: 282
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: mail body blank on web gui

Post by ghen »

zimbra_strict_unclosed_comment_tag=false seems to cause other rendering issues though, where commented CSS code inside <style> tags is now being interpreted, whereas it shouldn't be.

This also impacts mails that previously rendered correctly, so we're still undecided whether to use this workaround or not ...

Is this upstream OWASP fix expected in the near future?
ghen
Outstanding Member
Outstanding Member
Posts: 282
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: mail body blank on web gui

Post by ghen »

We don't seem to have such side effects with zimbra_strict_unclosed_comment_tag=false combined with zimbra_skip_tags_with_unclosed_cdata="" (empty, instead of the default "styles" value).

But zimbra_skip_tags_with_unclosed_cdata isn't documented anywhere, I only saw it in the source code. Can you advise?
infrasegur2023
Posts: 6
Joined: Tue Oct 03, 2023 3:48 pm

Re: mail body blank on web gui

Post by infrasegur2023 »

infrasegur2023 wrote: Thu Oct 26, 2023 12:27 pm Thanks @saket.patel for the suggestion, will try
i'll post in a couple months if it works.

i assume it 's relates to this
Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. A new LC config zimbra_strict_unclosed_comment_tag has been introduced from this patch onwards to handle such emails. The default value is true which will not display mails having an unclosed comment tag. If set to false, the emails with unclosed comment tags will be displayed. - https://jira.corp.synacor.com/browse/ZBUG-2978ZBUG-2978
yes the fix work so far no blank emails
ghen
Outstanding Member
Outstanding Member
Posts: 282
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: mail body blank on web gui

Post by ghen »

Hi

With ZBUG-4108, Zimbra 9.0.0 Patch 41 seems to have introduced a new OWASP html sanitizer knob: zimbra_owasp_strip_alt_tags_with_handlers.
What's the meaning of this configuration, and what are now the recommended settings for OWASP protection without too many false positives?

We are currently running with:

Code: Select all

zimbra_use_owasp_html_sanitizer = true
zimbra_strict_unclosed_comment_tag = false (default: true)
zimbra_skip_tags_with_unclosed_cdata = "" (empty, default: "style")
Should we revert the latter two to their defaults after upgrading?
User avatar
ronstra
Zimbra Employee
Zimbra Employee
Posts: 14
Joined: Wed Dec 01, 2021 5:28 pm
Location: Buffalo, NY
ZCS/ZD Version: ZoK

Re: mail body blank on web gui

Post by ronstra »

ghen wrote: Wed Sep 04, 2024 6:17 pm With ZBUG-4108, Zimbra 9.0.0 Patch 41 seems to have introduced a new OWASP html sanitizer knob: zimbra_owasp_strip_alt_tags_with_handlers.
What's the meaning of this configuration, and what are now the recommended settings for OWASP protection without too many false positives?

We are currently running with:

Code: Select all

zimbra_use_owasp_html_sanitizer = true
zimbra_strict_unclosed_comment_tag = false (default: true)
zimbra_skip_tags_with_unclosed_cdata = "" (empty, default: "style")
Should we revert the latter two to their defaults after upgrading?
`zimbra_owasp_strip_alt_tags_with_handlers` was introduced to enable an OWASP attribute policy to deal with a specific case of HTML XSS smuggling. As far as I'm aware, it doesn't conflict with or supersede any of the other settings you mention. I recommend leaving it at the default, enabled.

-Ron
--
Ron Straight
Sr Software Engineer / Zimbra / Synacor
ghen
Outstanding Member
Outstanding Member
Posts: 282
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: mail body blank on web gui

Post by ghen »

Clear, thanks Ron.

So I assume the rendering issues reported in this thread have not yet been fixed:
saket.patel wrote: Mon Nov 20, 2023 11:03 am Yes it is an issue with OWASP sanitizer and hence we have given an alternative fix by tweaking LC value, we will remove this LC when fix is made in the upstream.
Post Reply