| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu 22.04 |
| Webmin version | 2.641 |
| Usermin version | 2.540 |
Think I’ve found something that constitutes a bug.
A usermin user trying to click a link in an HTML email was “blocked” due to CORS, because the HTML email was (mal-)formatted using target="_self" attribute which result in links trying to open -inside- the iframe.
I had them try the option to open links in a new tab, toggled it between its two available options, but this didn’t change anything about how links worked. (Maybe I misunderstand the option, maybe its bugged, or not documented clearly enough to avoid assumptions on my part.)
In any case, I don’t think the webmail client should ever allow opening a third-party website inside the clients email-viewing iframe. I think the emails should be sanitized for display in the webmail, to strip out or replace the target="_self" attributes and other problematic target values.
Couple ways to do it, server-side HTML Parser or leverage clients own javascript to make sure things are updated as they should be.