There is an email in my mailbox that renders in text correctly and renders empty in HTML. Despite the fact that there is text to show. The original HTML contains a header with styles but ends by , with no body tag. The email gets rendered correctly in the old runbox web client.
In Runbox7 we are using the NodeJS mailparser for extracting HTML https://github.com/nodemailer/mailparser
If you are into Javascript programming, you can test parsing your email with it, and then it would be possible to determine if the problem is with the mailparser, or, if the mailparser works fine, the problem is at our end in the way we’re using it.
Otherwise we can check this for you too, but then we’d have to access that particular email.
Below is a similar script like the one used to parse emails on our server, that you can use for testing yourself (if you’re into Javascript):
'use strict';
if(process.argv.length<3) {
process.stdout.write("USAGE: nodejs emailtojson.js filename");
process.stdout.write("Example: nodejs emailtojson.js emailfile.eml");
return;
}
const fs = require('fs');
const MailParser = require('mailparser').MailParser;
const mailpath = process.argv[2];
let parser = new MailParser();
let input = fs.createReadStream(mailpath);
let mailobj = {
attachments: [],
text: {}
};
parser.on("headers",(headers) => {
let headerObj = {};
for (let [k,v] of headers) {
// We don’t escape the key '__proto__'
// which can cause problems on older engines
headerObj[k] = v;
}
mailobj.headers = headerObj;
});
parser.on("data",(data) => {
if(data.type === 'attachment'){
mailobj.attachments.push(data);
data.content.on('readable', () => data.content.read());
data.content.on('end', () => data.release());
} else {
mailobj.text = data;
}
});
parser.on("end",() => {
process.stdout.write(JSON.stringify(mailobj,(k,v)=>k==="content" || k==="release" ? undefined : v,3));
});
input.pipe(parser);
OK - so nothing wrong with the parser, but the HTML email contains Javascript which is not tolerated by the HTML security checks used in Runbox7, and in this case it seems like the presence of the script causes the HTML body content not to be output at all. It’s supposed to remove the script, and it does, but also removes the body content.
We can look into how to let the HTML body content pass through without the javascript.
However it’s not a good thing that the sender include Javascript in the HTML email. Probably not harmful in this case, but in general HTML mails with Javascript are risky.
OK - I have to correct myself here - actually I see that the HTML body of the message also contains Javascript and the script contains the data to be rendered.
Such emails depending on scripts to render will not be tolerated by Runbox7, it’s a significant security risk. So I’m afraid there’s nothing to be done in this case, but rather report back to the sender that they should not have scripts in their HTML emails.
Peter, thanks for the email. I’m rather surprised that a sender with an IT team behind sends an email of such a kind. Thanks for the information.