zimbra_strict_unclosed_comment_tag=false seems to cause other rendering issues though, where commented CSS code inside <style> tags is now being interpreted, whereas it shouldn't be.
This also impacts mails that previously rendered correctly, so we're still undecided whether to use this workaround or not ...
Is this upstream OWASP fix expected in the near future?
mail body blank on web gui
-
- Outstanding Member
- Posts: 282
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: mail body blank on web gui
We don't seem to have such side effects with zimbra_strict_unclosed_comment_tag=false combined with zimbra_skip_tags_with_unclosed_cdata="" (empty, instead of the default "styles" value).
But zimbra_skip_tags_with_unclosed_cdata isn't documented anywhere, I only saw it in the source code. Can you advise?
But zimbra_skip_tags_with_unclosed_cdata isn't documented anywhere, I only saw it in the source code. Can you advise?
-
- Posts: 6
- Joined: Tue Oct 03, 2023 3:48 pm
Re: mail body blank on web gui
yes the fix work so far no blank emailsinfrasegur2023 wrote: ↑Thu Oct 26, 2023 12:27 pm Thanks @saket.patel for the suggestion, will try
i'll post in a couple months if it works.
i assume it 's relates to this
Mails having unclosed comment tags were not displayed when OWASP sanitization was enabled. A new LC config zimbra_strict_unclosed_comment_tag has been introduced from this patch onwards to handle such emails. The default value is true which will not display mails having an unclosed comment tag. If set to false, the emails with unclosed comment tags will be displayed. - https://jira.corp.synacor.com/browse/ZBUG-2978ZBUG-2978
-
- Outstanding Member
- Posts: 282
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: mail body blank on web gui
Hi
With ZBUG-4108, Zimbra 9.0.0 Patch 41 seems to have introduced a new OWASP html sanitizer knob: zimbra_owasp_strip_alt_tags_with_handlers.
What's the meaning of this configuration, and what are now the recommended settings for OWASP protection without too many false positives?
We are currently running with:
Should we revert the latter two to their defaults after upgrading?
With ZBUG-4108, Zimbra 9.0.0 Patch 41 seems to have introduced a new OWASP html sanitizer knob: zimbra_owasp_strip_alt_tags_with_handlers.
What's the meaning of this configuration, and what are now the recommended settings for OWASP protection without too many false positives?
We are currently running with:
Code: Select all
zimbra_use_owasp_html_sanitizer = true
zimbra_strict_unclosed_comment_tag = false (default: true)
zimbra_skip_tags_with_unclosed_cdata = "" (empty, default: "style")
- ronstra
- Zimbra Employee
- Posts: 14
- Joined: Wed Dec 01, 2021 5:28 pm
- Location: Buffalo, NY
- ZCS/ZD Version: ZoK
Re: mail body blank on web gui
`zimbra_owasp_strip_alt_tags_with_handlers` was introduced to enable an OWASP attribute policy to deal with a specific case of HTML XSS smuggling. As far as I'm aware, it doesn't conflict with or supersede any of the other settings you mention. I recommend leaving it at the default, enabled.ghen wrote: ↑Wed Sep 04, 2024 6:17 pm With ZBUG-4108, Zimbra 9.0.0 Patch 41 seems to have introduced a new OWASP html sanitizer knob: zimbra_owasp_strip_alt_tags_with_handlers.
What's the meaning of this configuration, and what are now the recommended settings for OWASP protection without too many false positives?
We are currently running with:Should we revert the latter two to their defaults after upgrading?Code: Select all
zimbra_use_owasp_html_sanitizer = true zimbra_strict_unclosed_comment_tag = false (default: true) zimbra_skip_tags_with_unclosed_cdata = "" (empty, default: "style")
-Ron
--
Ron Straight
Sr Software Engineer / Zimbra / Synacor
Ron Straight
Sr Software Engineer / Zimbra / Synacor
-
- Outstanding Member
- Posts: 282
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: mail body blank on web gui
Clear, thanks Ron.
So I assume the rendering issues reported in this thread have not yet been fixed:
So I assume the rendering issues reported in this thread have not yet been fixed:
saket.patel wrote: ↑Mon Nov 20, 2023 11:03 am Yes it is an issue with OWASP sanitizer and hence we have given an alternative fix by tweaking LC value, we will remove this LC when fix is made in the upstream.