Rendering bug in Firefox, threat level: annoyance

There is this rendering bug in Firefox that currently can be classified as an annoyance.

It was discovered during a discussion at the Ubuntu-GR mailing list and reported in June 2008, and at that time it would cause Firefox to crash. Therefore, it was deemed as a security issue, and the bug report was not made public. Just recently, the issue was revisited, current versions of Firefox do not crash, and the security tag was removed. It is quite possible that there is some existing report on the issue, and not being classified as a security bug, it will be easier sort out. Thus, have a look at bug report #441307.

The source of the rendering bug is the HTML code

<HR WIDTH=143165425 ALIGN=RIGHT>

So, you send an HTML e-mail and you add the above code. The code says to show a Horizontal line, with some huge width (here, you simply put 143165425).

If you received such an annoying e-mail, here is how it may look like (Yahoo WebMail)

If you received such an annoying e-mail, here is how it may look like (Yahoo WebMail)

How GMail might look like when you receive such an HTML email.

How GMail might look like when you receive such an HTML email.

Some versions of Firefox respond differently to this rendering bug, which probably relates to a different set of linked libraries. For example, the Firefox 3 found in Ubuntu Linux 8.10 is able to show the e-mail in GMail just fine (though it messes up with other pages). The above screenshots are by Minefield 3.1b2pre (64-bit). The Windows version of Firefox is also affected.

To try out yourself, create a file /tmp/mypoc.html with contents

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML>
<HEAD>
</HEAD>
<BODY BGCOLOR=”#ffffff”>
<TABLE WIDTH=100% BORDER=0 CELLPADDING=2 CELLSPACING=2 BGCOLOR=”#e0e0e0″>
<TR>
<TD>
<HR WIDTH=143165425 ALIGN=RIGHT>
</TD>
</TR>
</TABLE>
This is a test.
<HR WIDTH=143165425 ALIGN=RIGHT>
Some more text.
</BODY>
</HTML>

Load it up in Firefox. Click to Select All, then Copy. You can then paste in your mailer, when you compose as HTML (for example, with Thunderbird).

Just to reiterate, this issue is currently at level annoyance, unless someone manages to produce an HTML file that can crash Firefox. If you manage to do so, please file a bug report at http://bugzilla.mozilla.org/ and specify the security settting so that the bug gets high priority.

Permanent link to this article: https://blog.simos.info/rendering-bug-in-firefox-threat-level-annoyance/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.