Improve html message rendering

[st3iny]

Fixes #3076

1. Allow more CSS properties in html messages: see doSetupTricky() and doSetupProprietary() for details.
2. Proxy Content-Type header (fallback to application/octet-stream). Some browsers (e.g. chromium based) refuse to display svgs in img elements unless they are served with the correct Content-Type header.

EDIT: 2. is not secure

[st3iny]

I tested with real world newsletter/notification emails in my personal mail account and most of them are displayed correctly now. More testing is appreciated.

cc @MrManor @jancborchardt

[ChristophWurst]

http://htmlpurifier.org/live/configdoc/plain.html

This parameter determines whether or not to allow "tricky" CSS properties and values. Tricky CSS properties/values can drastically modify page layout or be used for deceptive practices but do not directly constitute a security risk. For example, display:none; is considered a tricky property that will only be allowed if this directive is set to true.

👍

Whether or not to allow proprietary elements and attributes in your documents, as per HTMLPurifier_HTMLModule_Proprietary. Warning: This can cause your documents to stop validating!

👍 I'm fine with slightly invalid HTML. The browsers should be able to handle it.

[ChristophWurst]

So I'm generally for this change, but we should be careful with the mime types and only allow a few safe ones that are used for common image types.

[ChristophWurst]

/backport to stable1.6

[ChristophWurst]

Some browsers (e.g. chromium based) refuse to display svgs in img elements unless they are served with the correct Content-Type header.

Now I'm not sure if we actually want to allow this. Did you see legit emails that use svg? There's some security implications with those. I'm checking with @rullzer if allowing them is OK or not.

I've found https://css-tricks.com/a-guide-on-svg-support-in-email/ on this tipic and it sounds like we'd not be the only client to not render the SVGs.

[st3iny]

The notifications sent by the nextcloud server contain svgs.

Turns out that svgs are a security threat because they may contain scripts. If we really want to proxy svgs we should sanitize them.

[ChristophWurst]

The notifications sent by the nextcloud server contain svgs.

Oops. With the insights from https://css-tricks.com/a-guide-on-svg-support-in-email/ it sounds like we should fix that in server.

Turns out that svgs are a security threat because they may contain scripts. If we really want to proxy svgs we should sanitize them.

Indeed. I see you updated your branch already. Let's skip the potentially dangerous SVG part for now. We can think about sanitization in a follow-up step.