Project

General

Profile

Actions

Defect #4874

closed

HTML part of issue mails is not properly escaped

Added by Holger Just over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Email notifications
Target version:
Start date:
2010-02-18
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

The link to the issue in the HTML part of issue mails is not properly escaped. If a user inserts HTML tags into the issue subject, it is inserted unescaped into the email body which at least destroys the rendering or at worst allows sophistcated phishing attacks using specifically crafted issue subjects.

The attached patch against Redmine trunk (r3434) fixes this.


Files

escape.patch (496 Bytes) escape.patch Holger Just, 2010-02-18 12:51

Related issues

Has duplicate Redmine - Defect #5178: <pre> tag in subject disrupts HTML emailClosed2010-03-24

Actions
Actions #1

Updated by Jean-Philippe Lang over 14 years ago

  • Category set to Email notifications
  • Status changed from New to Resolved
  • Target version set to 0.9.3
  • Resolution set to Fixed

Done in r3452 with a few more fixes.

Actions #2

Updated by Jean-Philippe Lang over 14 years ago

  • Status changed from Resolved to Closed

Merged in 0.9-stable in r3462.

Actions

Also available in: Atom PDF