Actions
Defect #4874
closedHTML part of issue mails is not properly escaped
Start date:
2010-02-18
Due date:
% Done:
0%
Estimated time:
Resolution:
Fixed
Affected version:
Description
The link to the issue in the HTML part of issue mails is not properly escaped. If a user inserts HTML tags into the issue subject, it is inserted unescaped into the email body which at least destroys the rendering or at worst allows sophistcated phishing attacks using specifically crafted issue subjects.
The attached patch against Redmine trunk (r3434) fixes this.
Files
Related issues
Updated by Jean-Philippe Lang over 14 years ago
- Category set to Email notifications
- Status changed from New to Resolved
- Target version set to 0.9.3
- Resolution set to Fixed
Done in r3452 with a few more fixes.
Updated by Jean-Philippe Lang over 14 years ago
- Status changed from Resolved to Closed
Merged in 0.9-stable in r3462.
Actions