View Issue Details

IDProjectCategoryView StatusLast Update
0005710SOGoGUIpublic2023-10-09 08:01
Reporterhexmode Assigned To 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version5.8.0 
Summary0005710: HTML in the subject line is not escaped and displayed

I recceived an email today with <br /> in the subject line. In SOGo, the subject line was displayed as ``. Using my browser's debugging tools I found the following:

<button class="md-no-style md-button md-ink-ripple" type="button" ng-transclude="" ng-click="mailbox.selectMessage(currentMessage)" aria-label="[Wikitech-l] Re: VisualEditor inserting "><div class="md-ripple-container" style=""></div></button>

In another mail reader, the subject was properly displayed as

[Wikitech-l] Re: VisualEditor inserting <br />

Steps To Reproduce

Send an email with "<br />" in the subject line.

Additional Information

SOGo should escape the subject line so that it can be used as an attribute to an HTML element.

TagsNo tags attached.




2023-10-09 08:01

administrator   ~0017347

Since 5.8.0, the html tags are removed from title to avoid XSS injection. This is rough but more secure.


Issue History

Date Modified Username Field Change
2023-03-13 13:43 hexmode New Issue
2023-10-09 08:01 sebastien Note Added: 0017347