Announcing Public Availability of NoHTML for Outlook 2000/2002

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/04/01 

Date:         Tue, 4 Dec 2001 11:40:49 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NoHTML.dll is an Outlook Add-in designed to convert HTML-based emails into
harmless messages. It works slightly differently for Outlook 2000 than it
does for Outlook 2002. Does not work with Outlook 98, or any version of
Outlook Express.

In Outlook 2000, NoHTML converts HTML-based emails into RTF format. While
this eliminates all HTML tags and scripting, it has the unfortunate
side-effect of possibly resulting in completely blank emails. An example
would be if the original HTML-based email is based entirely on a Table
(ZDNet Anchordesk newsletters are one example), it will appear completely
blank in Outlook 2000 after NoHTML. Unfortunately Outlook 2000 cannot
convert HTML to Plain Text.

In Outlook 2002, NoHTML converts HTML-based emails into Plain Text format.
It places the word "HYPERLINK" in front of URLs (Outlook does this, not me),
but strips the message of all HTML tags and scripting. Tables appear as long
lists of text strings and/or URLs.

The .dll works on either Outlook 2000 or Outlook 2002. It works with the
Outlook Email Security Update, and the default installation of Outlook 2002
(In other words, it doesn't conflict with Outlook built-in security
measures).

NoHTML works on the basis of a selection change, that is, whenever an item
in Outlook is selected, NoHTML checks to see whether or not it should affect
it. NoHTML only works on standard email messages, known as "IPM.Note" items,
so it will not affect the notes field in a Contact item, or non-standard or
custom Outlook forms.

If NoHTML determines it can affect a mail message, and if the message is in
HTML format, NoHTML will convert it. NoHTML also adds the "NoHTML" category
to the message, allowing you to see whether a message was in HTML format
when it arrived. No attempt is made to save the original HTML contents.

Outlook includes the built-in functionality for the conversion, this feature
is not code that I have written, so what you get is what you would get if
you opened a message and choose to change its format.

If Preview Pane is enabled, Outlook renders, in HTML, any HTML-based email
you select PRIOR to NoHTML triggering. This is, unfortunately, out of my
control. I could disable the Preview Pane automatically, but many people
insist on it being available. In both Outlook 2000 and Outlook 2002 the
Preview Pane is restricted, by Outlook, from executing Scripts and Active
Content, so the risk is one of Privacy leakage rather than malicious code
execution. Many HTML-based emails contain tracking elements, like a 1-pixel
GIF image, which will still work in Preview Pane.

I STRONGLY RECOMMEND THAT YOU DISABLE PREVIEW PANE

Once a message has been selected, and rendered in HTML in Preview Pane, it
will be converted and saved as non-HTML. So looking at it a second time will
show that its no longer HTML.

This tool has undergone reasonable testing with 125 beta testers. However,
there is no guarantee that all bugs have been found. The tool consists of
very little code, and only one variable, so there shouldn't be any
opportunity for it to be exploited. That said, if you find problems, contact
me directly.

NoHTML.dll must be copied into the following directory;

/Documents and Settings
  /(user)
    /Application Data
      /Microsoft
        /Add-ins

This is where Outlook defaults to look for new COM Add-ins. Some testers
found that if the .dll is put in any other directory then it seems not to
stay active between Outlook startups.

Once copied, do the following to complete installation;

1. Open the Tools menu in the Outlook main toolbar
2. Select Options
3. Select the "Other" panel
4. Click the "Advanced Options" button
5. Click the "COM Add-ins" button
6. Click the "Add" button
7. Navigate to the location where you extracted NoHTML.dll
8. Select NoHTML.dll
9. Ensure it's checkbox is checked, and click Ok 4 times

That's it, it is now installed and should be active.

To test its functionality simply select a message.

To uninstall, just go back to the same dialog box described above, highlight
NoHTML.dll, and click "Remove". You can then delete the NoHTML.dll file
itself.

For the most part NoHTML doesn't affect performance. If message body is very
large (note, attachment size has no effect on NoHTML's performance), and the
system relatively small, its possible you may see a noticeable delay while
moving your cursor down a list of messages. Any delay happens once per
message, and does not re-occur on the same message should it be selected
again.

In case you're wondering, I originally had NoHTML working on messages as
they arrived. This would have missed emails arriving in folders other than
your Inbox, something that can easily happen if you had Rules defined to
filter messages into specific folders. There was no easy way to address this
issue, so I decided to switch it to work on selecting an item.

Revision History:
v1.2.0.0 12/3 21:06 EDT
-First Public Release
-no changes made between this version and 1.1.0.7 other than the version
number

Beta Test Revisions:
v1.1.0.7 12/3 9:57 EDT
-You must put NoHTML.dll in the "AddIns" directory under the user (seems to
resolve issues some were having that caused it not to be checked after it
was installed)
-Corrected problem when category exists, changed category name added to
"NoHTML.
-Tried to speed up code.
-Developed version that removed attachments with double extensions, but then
took that functionality out.
-Worked extensively on shutdown problems, Outlook not removing itself from
memory. Only happens on Outlook 2000 (can't get it to happen on Outlook
2002). "Exit and Log off" always clears Outlook 2000 from memory, so I have
to assume it's an intended feature of Outlook??

v1.1.0.6 11/30 15:09 EDT
-fixed issues with non-standard forms.

v1.1.0.5 11/30 14:29 EDT
-fixed Outlook shutdown problem.

v1.1.0.4 11/30 13:16 EDT
-Changed the way it works. It used to work based on messages arriving or
being copied into your Inbox. This didn't handle messages that were sent to
other folders by Rules Wizard, nor did it handle old messages. Now the
add-in functions based on selecting a message. As soon as a message is
highlighted, it is converted. However, Outlook actually renders the message
in the Preview Pane prior to registering the event of a message being
highlighted. So although the message gets changed, its rendered in all its
HTML splendor in the Preview Pane. For now, the only way I can see around
this problem is to disable the Preview Pane altogether. I have not done this
in this version, I'm trying to find a way to do it "nicely" or intelligently
(e.g. turn it off until I'm sure the message isn't HTML). We'll see.
-I hope the memory leaks are gone now, and that Outlook politely exits.
-To update an existing installation, first remove the Add-in through the
dialog and then copy the new .dll into the appropriate location, then add it
in again. I'll have to look into what needs to be done to automate this
cleanly.
-Support for Outlook 98 did not work, I need to build a configuration file
to do this properly. I have to install an O98 environment to do this,
hopefully tomorrow.

v1.1.0.3 11/30 04:30 EDT
-internal build

v1.1.0.2 11/29 16:30 EDT
-Implemented support for Outlook 98, removed Preview Pane functionality
(Preview Pane now works normally, no threat since messages aren't HTML)

v1.1.0.1 11/29 15:30 EDT
-Fixed memory leak

v1.1.0.0 11/29 14:30 EDT
-Initial beta release

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Download NoHTML v1.2.0.0 Now! (7906 Bytes)
http://www.ntbugtraq.com/NoHTML.asp

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================

Quantcast