Page MenuHome GnuPG
Create Task
Maniphest T7843

GpgOL: Empty OpenPGP mails with "Read as plain" activated
Open, HighPublic
Actions

Description

Most OpenPGP mails are displayed empty with the "Read as plain" option set:


It also stays empty, if Display as HTML is selected on dropdown of the conversion note:

The "Display as HTML" doesn't show the formatted Rich/HTML body for S/MIME mails either.

To reproduce:

  1. In Options / Trustcenter -> Email Security activate:
    • Read all standard mail in plain text
    • Read all digitally signed mail in plain text
  2. Check mails of different combinations of signed/encrypted, openpgp/smime, html/rich/plain (e.g. in ted:INBOX/Mailformate, all have the same body content as the subject, with "rich" shown in green for Richtext format and "html" shown in red for HTML format)

For whatever reason the only exceptions of pgp mails with converted plain text shown are:

  • pgp signed unencrypted html attachment
  • pgp unsigned encrypted html noattachment

Details

Version
vsd-3.3.90.16-beta

Related Objects

Event Timeline

timegrid created this task.Oct 2 2025, 6:07 PM
ebo triaged this task as High priority.Oct 9 2025, 9:24 AM
ebo moved this task from Backlog to Triage on the gpgol board.
ebo mentioned this in T7806: GpgOL: Attached mails are empty if attached mail has encrypted attachments or is in text format and encrypted or signed.Oct 9 2025, 10:34 AM
timegrid mentioned this in T7858: GpgOL: Opened/Closed encrypted pgp messages unencrypted when read as plain is enabled.Oct 13 2025, 1:01 PM
ebo added a comment.Oct 21 2025, 11:41 AM

Might there be a relation to T7842? But I would have thought that then all signed messages would be unaffected.

ebo mentioned this in Unknown Object (Maniphest Task).Nov 14 2025, 2:48 PM
ebo mentioned this in Unknown Object (Maniphest Task).Dec 19 2025, 9:44 AM
ebo assigned this task to mmontkowski.Feb 2 2026, 4:50 PM
alexk moved this task from Triage to WIP on the gpgol board.Mon, Mar 9, 3:01 PM
alexk added a subscriber: alexk.

Marcus suggestion: offer the HTML mail content as attachment.

werner added a subscriber: werner.Fri, Mar 27, 11:05 AM

Not a good idea. Because then the user will open it with the browser and the browser loads all kind of additional data including drive-by malware. If HTML *mail* is shown by a MUA no links should be followed to keep information and the fact that it was read confidential.

I would suggest to show the HTML in raw form. This way the user notice that there is something. Maybe with a header explaining that for security reasons HTML are not rendered.