https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8205
Bug ID: 8205
Summary: text on transparent background is considered
"invisible"
Product: Spamassassin
Version: 4.0.0
Hardware: PC
OS: Windows 10
Status: NEW
Severity: major
Priority: P2
Component: Libraries
Assignee: dev@spamassassin.apache.org
Reporter: kent@mxguardian.net
Target Milestone: Undefined
Created attachment 5925
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5925&action=edit
spample
There are two problems at play here:
1. The HTML parser doesn't recognize the color "transparent" as a valid color.
2. When either the foreground or background color is invalid, the parser treats
the text as invisible.
For example, consider this valid HTML snippet:
<div style="background-color:transparent">Evil text</div>
The HTML parser will treat "Evil text" as invisible so it's not made available
to Bayes or the body rules. This seems like a major flaw since a spammer can
simply wrap their email with the above code and the whole message becomes
invisible to SA. Browsers and MUA's will still render it because it's valid
HTML and it doesn't actually change the background color (it's essentially a
no-op). I don't know if this is being exploited intentionally but I've attached
a spample that is affected by this bug. I think it's also possible for this bug
to affect legitimate mail simply by accident, as there are many legitimate uses
for background-color:transparent.
I also created a patch so that usage of "transparent" as a background color is
ignored i.e. it's treated the same as "inherit".
--
You are receiving this mail because:
You are the assignee for the bug.
Bug ID: 8205
Summary: text on transparent background is considered
"invisible"
Product: Spamassassin
Version: 4.0.0
Hardware: PC
OS: Windows 10
Status: NEW
Severity: major
Priority: P2
Component: Libraries
Assignee: dev@spamassassin.apache.org
Reporter: kent@mxguardian.net
Target Milestone: Undefined
Created attachment 5925
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5925&action=edit
spample
There are two problems at play here:
1. The HTML parser doesn't recognize the color "transparent" as a valid color.
2. When either the foreground or background color is invalid, the parser treats
the text as invisible.
For example, consider this valid HTML snippet:
<div style="background-color:transparent">Evil text</div>
The HTML parser will treat "Evil text" as invisible so it's not made available
to Bayes or the body rules. This seems like a major flaw since a spammer can
simply wrap their email with the above code and the whole message becomes
invisible to SA. Browsers and MUA's will still render it because it's valid
HTML and it doesn't actually change the background color (it's essentially a
no-op). I don't know if this is being exploited intentionally but I've attached
a spample that is affected by this bug. I think it's also possible for this bug
to affect legitimate mail simply by accident, as there are many legitimate uses
for background-color:transparent.
I also created a patch so that usage of "transparent" as a background color is
ignored i.e. it's treated the same as "inherit".
--
You are receiving this mail because:
You are the assignee for the bug.