Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug x cross-site scripting on mail #794

Closed
alejandroaguilarhiguera opened this issue Sep 27, 2021 · 1 comment
Closed

bug x cross-site scripting on mail #794

alejandroaguilarhiguera opened this issue Sep 27, 2021 · 1 comment
Labels
🐛 bug Something isn't working

Comments

@alejandroaguilarhiguera
Copy link

I wrote the tag with an image in the name of the team then invited a contact
image
@ConnorGargano ConnorGargano added the 🐛 bug Something isn't working label Oct 21, 2021
@Azhariel Azhariel mentioned this issue May 17, 2022
Closed
@Azhariel
Copy link

Azhariel commented May 18, 2022
edited
Loading

Tried to reproduce this error bug now I have some questions.
I set the user's display name and the team name as long <img> tags, but they weren't compiled shown as images on the email. This does show the issue of long strings being permitted as display name and team name, but that's another issue.

This was my result:
image

So my questions are:

  1. Did the image show on your test?
  2. If it didn't, is this a security issue?
  3. Should we disallow special characters for users and teams display names?
  4. Should we implement a max length for those fields or just fix their display on the email?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug Something isn't working
Projects
No open projects
Cal.com Core Roadmap
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PeerRich @Azhariel @alejandroaguilarhiguera @ConnorGargano