.eslintignore
author Ben Bucksch <ben.bucksch@beonex.com>
Mon, 21 May 2018 18:44:41 +0200
changeset 23964 96fab4a2b81189101231b12106823748c9a70a94
parent 23314 f8afcb3f18de1d71de1c52386587995a517033bc
child 24115 0698244578e94f305e64cb31e484eb969b79c3cf
permissions -rw-r--r--
Bug 1419417 - Parse HTML to make sure that tags and attributes are properly closed. r=mkmelin,jorgk This fixes the efail <http://efail.de> security bug, which opens a HTML tag or attribute in an HTML MIME part, then puts in a PGP-encrypted part, and then another HTML part with the closing quote or tag. This could be e.g. <img src=' or <form><textarea>, CSS URL or similar features that send out the following text as URL and therefore leak it to the attacker who crafted the email. The PGP part will then be decrypted and leak. The bug was that we just passed HTML through verbatim. The frontend does not have any further precautions, either. The correct solution here is to jail each MIME part into a separate <iframe type="content"> in the UI. However, we don't want one scrollbar for each MIME part, but one scroll for the entire body. <iframe seamless> would allow that, but it was never implemented in Firefox and is now dead. We might later find a workaround, but this is more work and can't be done short term. The fix here in libmime first parses the HTML that we get in the HTML MIME part, and then immediately serialized it again. That ensures that the HTML document is complete, syntactically correct, and all tags and attributes are properly closed, before we start with the next MIME part.

# Always ignore node_modules.
**/node_modules/**/*.*

# lint eslint config files which are excluded by default
!**/.eslintrc.js

# Exclude expected objdirs.
obj*/**

# Exclude mozilla directory, this one is checked separately
mozilla/**

# These directories don't contain any js and are not meant to
config/**
db/**
other-licenses/**
testing/**

# We ignore all these directories by default, until we get them enabled.
# If you are enabling a directory, please add directory specific exclusions
# below.
build/**
chat/**
editor/**
im/**
ldap/**
mail/**
mailnews/**
suite/**

# calendar/ exclusions

# prefs files
calendar/lightning/content/lightning.js
calendar/locales/en-US/lightning-l10n.js

# third party library
calendar/base/modules/ical.js

# preprocessed files
calendar/base/content/dialogs/calendar-migration-dialog.js
calendar/base/content/calendar-dnd-listener.js