Defect #4874: HTML part of issue mails is not properly escaped - Redmine

Actions

Copy link

Defect #4874

closed

HTML part of issue mails is not properly escaped

Added by Holger Just about 15 years ago. Updated about 15 years ago.

Status:

Closed

Priority:

High

Assignee:

Category:

Email notifications

Target version:

0.9.3

Start date:

2010-02-18

Due date:

% Done:

Estimated time:

Resolution:

Fixed

Affected version:

Description

The link to the issue in the HTML part of issue mails is not properly escaped. If a user inserts HTML tags into the issue subject, it is inserted unescaped into the email body which at least destroys the rendering or at worst allows sophistcated phishing attacks using specifically crafted issue subjects.

The attached patch against Redmine trunk (r3434) fixes this.

Files

escape.patch (496 Bytes) escape.patch

Holger Just, 2010-02-18 12:51

Related issues

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Defect #4874

HTML part of issue mails is not properly escaped

Updated by Jean-Philippe Lang about 15 years ago

Updated by Jean-Philippe Lang about 15 years ago