After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 713656 - Message viewer: find a way to strip Javascript
Message viewer: find a way to strip Javascript
Status: RESOLVED FIXED
Product: geary
Classification: Other
Component: conversations
unspecified
Other All
: High normal
: 0.14.0
Assigned To: Geary Maintainers
Geary Maintainers
Depends on: geary-wk2
Blocks:
 
 
Reported: 2012-02-16 02:19 UTC by Eric Gregory
Modified: 2019-09-07 09:20 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Charles Lindsay 2013-11-21 20:22:27 UTC 


---- Reported by eric@yorba.org 2012-02-15 18:19:00 -0800 ----

Original Redmine bug id: 4752
Original URL: http://redmine.yorba.org/issues/4752
Searchable id: yorba-bug-4752
Original author: Eric Gregory
Original description:

Currently the message viewer has Javascript completely disabled. That's fine
from a security standpoint, but is less than ideal for many of the features
we'd like to implement: drop down menus, hide/show quoted text, etc. While it
may be possible to do these features without Javascript it would also be hacky
and painful to maintain.

While removing script HTML elements is fairly trivial, the catch to all this
is that Javascript doesn't have to reside in a script element -- it can also
be found in attributes. For example, you can give an anchor an onclick
attribute that contains Javascript code directly; here's an example.

    
    
    <a href="#" onclick="alert('Hello world')">Click this link.</a>
    

There are many types of attributes that can contain Javascript. There's a
(partial?) list here:

http://www.w3schools.com/html5/html5_ref_eventattributes.asp

In addition, certain browsers have a non-standard feature where Javascript can
be executed from within CSS styles. We should investigate whether WebKit
allows this.



---- Additional Comments From geary-maint@gnome.bugs 2012-03-27 13:50:00 -0700 ----

### History

####

#1

Updated by Adam Dingle over 1 year ago

  * **Target version** deleted (<strike>_0.1_</strike>)

Perhaps we won't need JavaScript so soon after all - we were able to implement
showing/hiding quoted blocks without it, for example.



--- Bug imported by chaz@yorba.org 2013-11-21 20:22 UTC  ---

This bug was previously known as _bug_ 4752 at http://redmine.yorba.org/show_bug.cgi?id=4752

Unknown Component 
   Using default product and component set in Parameters 
Unknown version " in product geary. 
   Setting version to "!unspecified".
Unknown milestone "unknown in product geary. 
   Setting to default milestone for this product, "---".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Resolution set on an open status.
   Dropping resolution
Comment 1 Michael Gratton 2016-06-28 14:34:53 UTC 
This will probably be obsoleted by Bug 765516?
Comment 2 Michael Gratton 2016-10-07 12:47:16 UTC 
Not really related to Bug 765516, but will be an issue for Bug 728002 since we may want to use JavaScript helpers instead of using a WebExtension.
Comment 3 Michael Gratton 2017-04-23 07:07:15 UTC 
Bumping things that aren't likely to make 0.12.0.
Comment 4 Michael Gratton 2018-06-26 04:46:41 UTC 
Bump tickets to 0.14 that aren't going to make 0.13.
Comment 5 Michael Gratton 2019-09-07 09:20:55 UTC 
Will be fixed when https://gitlab.gnome.org/GNOME/geary/merge_requests/303 lands (likely in 3.34.1).