ZCS-10594/TSS-18404: Fix for emails not displaying correctly. #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the classic UI, investigated why the links as displayed in the screenshots are coming over the edge and the css rules are not getting applied to it. Found that the actual issue for the Glassdoor e-mails in the classic UI is causing due to the following media queries in the style tag: @media not all and (pointer:coarse){.css-8= bsfb:hover{background-color:#056b27;border-color:#056b27;color:#fff !import= ant;}} When I tried to remove the above code and imported the Mimes, all the new imported mimes were getting rendered properly. Looked into the antisamy.xml file and the tag and attribute policies related to style and media. I tried changing and removing the policies related to it but there was no effect of those. I also tried upgrading to 1.6.3 but still having the same issue. The problem is causing not because of the OWASP but it's in the antisamy library during the serialization. During sanitization the above media queries were not removed but while antisamy library tries to perform the serialization of the document fragment those media queries are getting stripped off. For serialization antisamy is dependent on to another third party library which is causing the issue org.apache.xml.serialize.HTMLSerializer. This is reported and accepted as a bug in the antisamy library, so anythinh which comes ahead of the "@" symbol it gets stripped out. Reported Bug: org.apache.xml.serialize.HTMLSerializer I have also updated bug as per our issue. In the org.owasp.validator.html.scan.AntiSamyDOMScanner class, I was having the expected string prior to serialization and after the org.apache.xml.serialize.HTMLSerializer has done the serialization to the DocumentFragment whatever it was after the "@" symbol got stripped off in the style tag. Fix: Introduces an "if-else" condition to selectively serialize the DocumentFragment only if doesn't contains any "@" symbol otherwise append it to the StringWriter, which seems to fix our issue until we get a fix for bug from antisamy. Also, looking for HTMLSerializer which can handle the media queries in the style sheet.
log2akshat
requested review from
dajay0,
prashantajari,
Prashantsurana,
silentsakky,
sreejan-chowdhury and
thefoolwhocodes
sreejan-chowdhury
approved these changes
Jun 2, 2021
thefoolwhocodes
approved these changes
Jun 2, 2021
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem:
Reported glassdoor E-mails not displaying correctly in the classic UI.
Analysis:
In the classic UI, investigated why the links as displayed in the screenshots are coming over the edge and the
CSSrules are not getting applied to it. Found that the actual issue for the Glassdoor e-mails in the classic UI is causing due to the followingmedia queriesin the style tag:When I tried to remove the above code and imported the Mimes, all the new imported mimes were getting rendered properly. Looked into the
antisamy.xmlfile and the tag and attribute policies related to style and media. I tried changing and removing the policies related to it but there was no effect of those.antisamyto1.6.3but still having the same issue.antisamywith latest version oforg.apache.xml.serializebut having the same issue.LSSerializerwhich comes bundled withXercesafter serialisation it's giving the same output.The problem is causing not because of the
OWASPbut it's in theantisamylibrary during theserialization. Duringsanitization, the above media queries were not removed but while theantisamylibrary tries to perform theserializationof the document fragment those media queries are getting stripped off. Forserializationantisamyis dependent on another third-party library which is causing the issueorg.apache.xml.serialize.HTMLSerializer.This is reported and accepted as a bug in the
antisamylibrary, so anything which comes ahead of the@symbol gets stripped out.Reported Bug
I have also updated the bug as per our issue.
In the
org.owasp.validator.html.scan.AntiSamyDOMScannerclass, I was having the expected string prior toserializationand after theorg.apache.xml.serialize.HTMLSerializerhas done theserializationto theDocumentFragmentwhatever it was after the@symbol got stripped off in the style tag.Fix: Introduces an
if-elsecondition to selectively serialize theDocumentFragmentonly if doesn't contain any@symbol otherwise append it to theStringWriter, which seems to fix our issue until we get a fix for bug fromantisamy. Also, looking for anHTMLSerializerwhich can handle the media queries in the style sheet.Testing Done:
CSSis displaying properly after the fix.Related PRs:
Zimbra/zm-mailbox
ZimbraOS/zm-mailbox