Describe the bug: HTML emails rendered with incomplete sanitization. JavaScript URLs and event handlers may execute. Potentially dangerous with terminal emulators supporting OSC 8 hyperlinks.
To reproduce:
- Receive HTML email with
- Or onclick= event handler
- If terminal supports OSC 8, could trigger actions
- Risk varies by terminal emulator
Expected behavior: Strict HTML sanitization:
- Whitelist safe tags only (p, div, span, a, img, etc)
- Strip all javascript: URLs
- Remove all on* event attributes
- Sanitize CSS (no expression() or url() with javascript)
- Use bluemonday or similar library
Additional context:
- File: view/html.go, clib/htmlconv.c
- Currently converts to plaintext, but may miss cases
- Severity: Medium-High - XSS potential
- Complexity: High - security-critical HTML parsing
Describe the bug: HTML emails rendered with incomplete sanitization. JavaScript URLs and event handlers may execute. Potentially dangerous with terminal emulators supporting OSC 8 hyperlinks.
To reproduce:
Expected behavior: Strict HTML sanitization:
Additional context: