I just patching my Zimbra 8.8.15 to patch 33 and Zimbra 9 to patch 26. However, I got problem view email with HTML mode on Zimbra webmail. The email has content “if !mso”. Some users on Zimbra forum have similar problem : https://forums.zimbra.org/viewtopic.php?f=13&t=71022&hilit=mso#p306022 and maybe Bug : https://github.com/Zimbra/zm-mailbox/pull/1277
I do not know if this a safe workaround or not. However, this problem is quite annoying on end users. So, I do this until there is a safe way from Zimbra
su - zimbra zmlocalconfig -e zimbra_use_owasp_html_sanitizer=false zmcontrol restart
Now, the content “if !mso” has disappear from Zimbra webmail
Good Luck 🙂
Thanks for the workaround.
There is an attempted fix up on github, but to be honest the proposed fix looks like it’s worse than the bug. Hopefully they will put together a fix that doesn’t hammer the system with global string replacements and can tell the difference between a message’s content and the HTML markup around it.
This is a REALLY bad idea – OWASP is what is protecting you from some exploits and what could have protected against some of the earlier bugs, if it was deployed.
Thank you for your information. I have enable OWASP again after receive new patch