View Issue Details

IDProjectCategoryView StatusLast Update
0005710SOGoGUIpublic2023-03-13 13:43
Reporterhexmode Assigned To 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version5.8.0 
Summary0005710: HTML in the subject line is not escaped and displayed

I recceived an email today with <br /> in the subject line. In SOGo, the subject line was displayed as ``. Using my browser's debugging tools I found the following:

<button class="md-no-style md-button md-ink-ripple" type="button" ng-transclude="" ng-click="mailbox.selectMessage(currentMessage)" aria-label="[Wikitech-l] Re: VisualEditor inserting "><div class="md-ripple-container" style=""></div></button>

In another mail reader, the subject was properly displayed as

[Wikitech-l] Re: VisualEditor inserting <br />

Steps To Reproduce

Send an email with "<br />" in the subject line.

Additional Information

SOGo should escape the subject line so that it can be used as an attribute to an HTML element.

TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-03-13 13:43 hexmode New Issue