2
Potentially dangerous scripts were removed from this message. Allow scripts - signature issue
Problem reported by Jay Altemoos - 10/20/2016 at 2:20 PM
Submitted
So I had one of our customers call today mentioning that when they send an email to one of the other office people in their company the recipient sees the warning in their email "Potentially dangerous scripts were removed from this message. Allow scripts".  Now both users use webmail for checking their email and it's always this one user's email that has the warning attached. Other people from the same office email back and forth without this error ever appearing. We are running SmarterMail 14.5.5907 enterprise
 
So I did some testing and I found out what the issue was. I corrected it in their signature but I am wondering why this even showed up in the first place. So they created the signature in SM in the web interface and there's nothing fancy in the signature, just a regular signature and a hyper-link to their website.
 
So looking at the source of the signature in the source editor I found this:
<span oncontextmenu="try{event.cancelBubble=true;event.preventDefault();}catch(e){}return false;">
 
Now this is something the user would not have ever entered into the signature themselves. I verified with the user that they created the signature fresh from within the SM webmail and didn't copy it from something else like Outlook, Thunderbird, etc.The code looks like a capture event for an error of sorts but why did it end up in the signature in the first place? The 3 lines this ended up on all had a ":" in it. For example, Office: , Ext: , Fax: and all had numbers afterwards. 
 
Sample from the source code from the signature: (These are the lines there the script showed up)
Office: &nbsp;6
Ext: 2
Fax: &nbsp;6
 
Not sure if you guys are aware of this or even if it's been addressed already. If it has been addressed then I can update our version. Any ideas? I made a copy of the entire source code and saved it in a text file if you guys need to see that.

6 Replies

Reply to Thread
0
Von-Austin See Replied
Employee Post
Jay,
 
I haven't heard any reports of this behavior here in the support department. Once you modified the signature and saved the settings did the <span> code come back at all ? If you can happen to replicate the issue and provide me with the steps, we should be able to get this fixed. 
 
It's hard to say what may have happened here, our editor does add HTML code, but not any that would include a SPAN tag, unless this was copied directly from another source. 
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Jay Altemoos Replied
Thank you for the reply Von. I will see what I can do to replicate this. She did tell me she did not copy the signature from somewhere else. So she created it fresh within SmarterMail. I will keep you posted. Is the editor you guys use CKEditor?
0
Von-Austin See Replied
Employee Post
Jay, this is correct we use CKEditor.
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Jay Altemoos Replied
Good morning Von.
Ok so I was able to replicate the issue and found out how the user got the <span oncontextmenu="try{event.cancelBubble=true;event.preventDefault();}catch(e){}return false;"> into the signature.
 
Now it doesn't matter what is typed in the signature. So regular text also has the same issue with scripting showing up. Here's how I replicated the issue:
1. Create a new signature for your account
2. Name it whatever you want
3. In the signature section type in anything. It could be a name, number, whatever it didn't matter what I typed in there
4. After you get something typed in there, click on the ABC button for the spell check
5. Once the middle section is highlighted green, right-click on whatever text you have typed in and select "Ignore All"
6. Click the ABC spell check button again so the screen goes back to regular mode
7. Now click on the <>Source button and you will see <span oncontextmenu="try{event.cancelBubble=true;event.preventDefault();}catch(e){}return false;"> listed in the signature line you right-clicked on
 
Now here's where things get weird, every line you add into the signature after you did the above procedure continues to add the script on each and every line you add in afterwards. So if you another new entry before you save the signature and click the Source button you will see the script on the next line you added. I even went as far as saving the signature and edited the signature again. I enter a few new lines on text or numbers into the signature and the editor continues to add the <span oncontextmenu="try{event.cancelBubble=true;event.preventDefault();}catch(e){}return false;"> into each new line I add. Even if I spell check the signature again and add something the to ignore list. it still continues to add the script on each new line I add. I verified this through the Source Editor.
 
So it appears to be a bug in the spell check feature with the Ignore All selection only. If I added something to spell check by clicking on Add or Edit, it never does this. So it would explain why the scripting in my user's signature ended up at the bottom of their signature. They must have clicked the Ignore All on the 3rd last line of the signature and then added other entries afterwards.
 
Let me know if you need anything else from me. I'll be happy to help.
 
 
0
Jay Altemoos Replied
I also wanted to let you know that the spell check is bugged even in the compose new message screen. It puts the same exact scripting I outlined above. So if I compose a new message and type in a bunch of text on a few lines, then spell check it and select Ignore All. If you check the source after doing that you will see the <span oncontextmenu="try{event.cancelBubble=true;event.preventDefault();}catch(e){}return false;"> in the message as well.

I sent the test message to myself and I get the "Potentially dangerous scripts were removed from this message. Allow scripts" listed for the message I sent myself. Now I did no use the bad signature, I just sent the message to myself with my good signature.
0
Von-Austin See Replied
Employee Post
Jay,
 
Thank you for looking into that further. Using your steps I was able to replicate the issue in both the signature and in the composition of new messages. 
 
I'm going to submit this as a bug and we will get this corrected in a future minor release. 
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread