[Kolab-devel] [issue2146] Kontact evaluates HTML tags in Contacts

Sascha Wilde kolab-issues at intevation.de
Wed Oct 31 12:26:10 CET 2007


New submission from Sascha Wilde <wilde at intevation.de>:

Kontact evaluates HTML tags in the various fields of an contact.
Especially interesting is the Email field: 

besides making undesirable fancy entries with big fonts, colors and
even tables(!) you can define working hyperlinks.  This is the
"feature" which worries me most.  You can define an email address
like this

<a href="mailto:blackhat at example.com">trusted at example.com</a>

and when the user clicks on the address to write a mail to
trusted at example.com Kontact opens a mail-creation window with blackhat
as recipient.

And the possibilities of http URLs as link targets open a whole
universe to ideas for the evil mind...

Given that:

- Users tend not to read whats actually on the screen, if they are in
  the believe that they know what they are doing.
- In small "Contacts" windows only the "Formatted Name" column might
  be visible. (so the poisoned address entry can't be seen).
- Spreading manipulated contacts is rather easy.

I consider this a serious problem.

----------
assignedto: till
messages: 12464
nosy: bernhard, bh, ludwig, osterfeld, till, vkrause, wilde
priority: critical
status: unread
title: Kontact evaluates HTML tags in Contacts
topic: enterprise35, kde client
________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://intevation.de/roundup/kolab/issue2146>
________________________________________________




More information about the devel mailing list