v1.19.3

This release includes an important security fix, so upgrading is strongly recommended.

A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).

• The CSP headers have been hardened and require a valid nonce ID to run. This will make it impossible to inject any other local JavaScript files (remote & inline JavaScript was already blocked).
• All message HTML is now sanitized via DOMPurify before rendering in the preview. This will remove all unsupported elements such as<script> & <iframe> (which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.

Changelog

Fix

• Security: Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)

Chore

• Update Go dependencies
• Display nicer <noscript> message when JavaScript is disabled