Hello all
The sanitizer (v 1.45) correctly defangs STYLE tags in HTML mail,
but if the composer omitted the comments <!-- .. --> inside the
STYLE tags, then the innards of the style tag are visible when
the message is displayed. This happens quite regularly.
Microsoft Outlook Express 5.00.2919.6600 using MimeOLE
V5.00.2919.6600 produces style tags like this (verbiage snipped):
<STYLE type=3Dtext/css>
.stbtm { BACKGROUND-COLOR: #cecbde; }
.stedit { BACKGROUND-COLOR: #484c68; }
</STYLE>
The defanged output is this:
<DEFANGED_STYLE type=3Dtext/css>
.stbtm { BACKGROUND-COLOR: #cecbde; }
.stedit { BACKGROUND-COLOR: #484c68; }
</DEFANGED_STYLE>
This is rendered as visible text, which is rather ugly (and would
be rather ugly in browers without style sheets too).
Second prize: It looks like quite a challenge to modify the code
to correct for this ms error -- replace <STYLE>...</STYLE> with
<DEFANGED_STYLE><!-- ... --></STYLE> (unless there was a comment
there already...) (sigh).
Third prize: An alternative approach to style tags would be to
disable the style by mangling the elements declared in the style
tag so that these never get referenced (e.g. .stbtm is rewritten
as .stbtmDEFANGED).
First prize: Even neater would be to eliminate each of the many
possibilities for abuse in style tags ... but there are probably
others:
expression
type=text/javascript
&:-)