Tech Off Thread

7 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Hotmail mangling forms & security

Back to Forum: Tech Off
  • User profile image
    whitehorse

    Hi,

    Wondering if anyone here might have any ideas about this, I'd tried reporting it as a bug through Hotmail Support [don't laugh Tongue Out] and they sent me back a form reply thanking me for my feature request in broken English. Though I hadn't made any feature requests. Oh, for a Premium Dev Support contract.. :-/ Anyway, I'd love to hear input from y'all here.

    Basically, Hotmail is "mangling" portions of HTML e-mails, resulting in some HTML mail displaying improperly and the ability to comment using HTML e-mail
    forms in conjunction with a popular Internet portal - LiveJournal.com to: stop working, return errors like POST required not a GET, missing parameter/ invalid arguments etc.

    This is apparently caused by a function of the HTML cleaner used by Hotmail. LiveJournal (open source code) e-mails comment replies that contain the form to reply to comments; these work with all providers bar Hotmail - apparently due to flaws in the way Hotmail is configured? When replying, the reply is entered and the form submitted - catching the navigate event and spawning a new window to show the resulting posted comment.

    Hotmail alters this HTML, causing all forms to be sent with GET not POST. GET requests were once allowed by the LJ site but this caused terrible security problems, and cannot generally be used. Hotmail, however, insistently rewrites POST forms as GETs. Grr. An attempt to support Hotmail's sole insistence on mangling the form and attempting to submit it as a GET was to implement ECPhash for security. However, in addition to consistently using GET, Hotmail sometimes omits or otherwise obscures the ECPhash parameter. The presence of that valid ecphash parameter is required by LiveJournal.com if a comment is submitted via GET. So when it does the GET request it should pass the parameters as a query string.

    The ECPhash is implemented as substantially better security than just hashing passwords, because the entryid and commentids are figured into the hash as well. It is present in all comment notification e-mails sent out.

    Additionally, Hotmail's HTML cleaner does not seem to like xhtml's "/" to close standalone tags??:
    Example:
    value="ecph-0213abf4d80501188e53c7079c8cf4a2" / target="_blank">

    On other webmail providers such as Yahoo/Gmail and other e-mail
    solutions (non web-based) there are no problems at all with these forms.

    Does anyone have any ideas about what else can be done? Is Hotmail worked on, on an ongoing basis? Codewise I mean; obviously people work on it.

  • User profile image
    Sk4rlath

    whitehorse wrote:
    Additionally, Hotmail's HTML cleaner does not seem to like xhtml's "/" to close standalone tags??:
    Example:
    value="ecph-0213abf4d80501188e53c7079c8cf4a2" / target="_blank">


    You mean
    <sometag value="..." target="_blank" />
    , right? I don't think you're allowed to stick things after the closing slash...

    This may just be a webmail problem - I remember being able to comment from LJ emails using Outlook XP with my account. But this is what you mean by other non-web based solutions, isn't it?

    Yeah, I admit VS.NET coloring the XML was a bit much, but I had nothing better to do and it looks pretty.

  • User profile image
    Maurits

    Sk4rlath wrote:
    You mean
    <sometag value="..." target="_blank" />
    , right? I don't think you're allowed to stick things after the closing slash...


    In XML the closing-tag-sequence is />
    In HTML the / is just considered an attribute named "/" and no value

    So in XML you have to have the / rubbing up against the >
    But in HTML you can put it anywhere you like, it's a syntax error no matter where you put it
    But I imagine some browsers who try to DWIM when confronted with syntax errors might treat stuff after the / differently than stuff before the /

  • User profile image
    adeangel

    I'm experiencing mangling of an HTML email in Hotmail as well. However, this is what happens to my form:

    Coded as:
    <form action="http://myurlhere" method="GET">
    <input type=submit name="submit" value="SUBMIT SURVEY">
    </form>

    Hotmail mangles it:

    <form>
    <input type=hidden value="http%253a%252f%252fmyurlhere%253fcc%253d20041123%252d3738016">
    <input type=button value="SUBMIT SURVEY">
    </form>

    Hotmail:
    1) Removed the form action and method
    2) Created a hidden field containing the url of the form action
    3) Changed the button to type=button from type=submit


    Result:
    Form no longer works in Hotmail.

    Does anyone know a work around?

    Successfully tested same code in other email clients. i.e. Outlook, Yahoo


  • User profile image
    whitehorse

    /Homer Simpson voice/ My XHTML skills and personal hygiene are beyond reproach. /Homer Simpson voice/
    It does look pretty though, nice job. =)

    Nope it's not a webmail problem, definitely a Hotmail thing. Other webmail providers such as Gmail or Yahoo! don't throw up any problem.

    My last post was 3:45am level coherent only. Ahem. When talking in general about forms and e-mails from your_isp.com, yep the Outlook thing would work due to the close browser integration. I mean, if something like Thunderbird is used [mozilla bug] then that's a different issue to this Hotmail matter and it wouldn't be expected to work; for obvious reasons - or at least reasons shown in that 'bug'.

    The Hotmail issue is a problem caused - it would seem - by flaws in the way Hotmail handles forms. Or were you asking if it'd occur also through WebDAV access of Hotmail? That said, that would be less of an issue of late anway, due to WebDAV access becoming a Hotmail paid-only benefit.

    Thanks for the input thus far, I appreciate it. All input is welcome.

  • User profile image
    whitehorse

    Thank you. I really appreciate your post. It's helpful for me to know the issue is acknowledged and may be fixed where possible, in the future. I have one further question, as it is a known issue:

    Is there any information at all you can provide that can be provided about when (timewise) it might be fixed? I'm asking in the sense of something to communicate to end-users that it will be fixed by x point or something; without having to vaguely say 'probably in the next Hotmail release'.

    The end users I'm thinking of are those who don't know whether the problem is at LiveJournal's end, theirs, or Hotmail's (typical questions asked of us are "what do I need to do to make it work" or "when will you fix this").

    I.e., fixed to the extent that the HTML filter does not have those problems and Hotmail users can mail using forms on the web happily, I presume use of WebDAV makes no difference either way?

    Naturally, the answer might usually be 'when it is fixed and not before' Wink, but really any indication you can give for when it's likely to be fixed would be great. Hopefully it isn't a "How long is a peice of string" type question. Thanks for your time.

  • User profile image
    W3bbo

    omars wrote:
    Well I can tell you this much. The library we use at Hotmail to ensure that messages do not contain malicious scripts (which is why the forms don't work)


    The scripting engines and interpreters in UAs arn't supposed to allow them to become malicious, this is more of an issue in IE classified as a "feature" (probably just to meet the ship date), now you've let the genie out of the bottle

    Interesting how you break one thing to solve another, the rest of us with standards compliant and secure UAs will be waiting for you

    -W3bbo

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.