Workaround : Zimbra HTML Problem after Patch 26/33

Posted by

I just patching my Zimbra 8.8.15 to patch 33 and Zimbra 9 to patch 26. However, I got problem view email with HTML mode on Zimbra webmail. The email has content “if !mso”. Some users on Zimbra forum have similar problem : https://forums.zimbra.org/viewtopic.php?f=13&t=71022&hilit=mso#p306022 and maybe Bug : https://github.com/Zimbra/zm-mailbox/pull/1277

This image from github

I do not know if this a safe workaround or not. However, this problem is quite annoying on end users. So, I do this until there is a safe way from Zimbra

su - zimbra
zmlocalconfig -e zimbra_use_owasp_html_sanitizer=false
zmcontrol restart

Now, the content “if !mso” has disappear from Zimbra webmail

Good Luck 🙂

3 comments

  1. Thanks for the workaround.

    There is an attempted fix up on github, but to be honest the proposed fix looks like it’s worse than the bug. Hopefully they will put together a fix that doesn’t hammer the system with global string replacements and can tell the difference between a message’s content and the HTML markup around it.

    https://github.com/Zimbra/zm-mailbox/pull/1371

  2. This is a REALLY bad idea – OWASP is what is protecting you from some exploits and what could have protected against some of the earlier bugs, if it was deployed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.