Defect #4874

HTML part of issue mails is not properly escaped

Added by Holger Just almost 2 years ago. Updated almost 2 years ago.

Status:Closed Start date:2010-02-18
Priority:High Due date:
Assignee:- % Done:

0%
Category:Email notifications
Target version:0.9.3
Affected version: Resolution:Fixed

Description

The link to the issue in the HTML part of issue mails is not properly escaped. If a user inserts HTML tags into the issue subject, it is inserted unescaped into the email body which at least destroys the rendering or at worst allows sophistcated phishing attacks using specifically crafted issue subjects.

The attached patch against Redmine trunk (r3434) fixes this.

escape.patch (496 Bytes) Holger Just, 2010-02-18 12:51

Related issues

duplicated by Defect #5178: <pre> tag in subject disrupts HTML email Closed 2010-03-24

Associated revisions

Revision 3452
Added by Jean-Philippe Lang almost 2 years ago

Escaping in html email templates (#4874).

History

#1
Updated by Jean-Philippe Lang almost 2 years ago

  • Category set to Email notifications
  • Status changed from New to Resolved
  • Target version set to 0.9.3
  • Resolution set to Fixed

Done in r3452 with a few more fixes.

#2
Updated by Jean-Philippe Lang almost 2 years ago

  • Status changed from Resolved to Closed

Merged in 0.9-stable in r3462.

Also available in: Atom PDF