Unsafe content in HTML emails
dcRUSTy opened this issue · 3 comments
Describe the bug
JavaScript and external resources are allowed in "HTML version" of email which might lead to tracking and IP address leakage, and other wide range of security issues.
To Reproduce
Steps to reproduce the behavior:
- Send urself an HTML with inline javascript." <script>alert(1)</script>
- In bot click on "View HTML"
Expected behavior
By default they should be blocked OR at least user should be given control.
Screenshots
Hi @dcRUSTy you are right here, I never bothered to take this into account as i thought the unique html link will be only available to the user and there are not user to user mail sending as one user would not even get the email id of any other user and this is done via bruteforce.
But yes this will actually compromise the user IP address and may execute other client side scripts which is definitely an issue. I would like to thank you again for pointing this out. Apart from that there are no session related information leaks with it as there is no sessions involved.
Gimme sometime to see what is the best way would to fix/remediate this out. I will keep this issue open till then.
Thinking out loud.. In addition to above. How about sending the HTML file as attachment in the bot, this way user has a copy of his email irrespective of service works in future or not, also the solves overhead of storing HTML file on server.
But this wont fix the issue. JS file execution will still be there. Something else is needed.