HTML-injection through form-fields in HTML-email

[neufeind]

We received a vulnerability report and confirmed it to be usable to inject HTML in emails. A regular text-field was used with content

"<img src=x><a href="http://evil.com">clickme</a>”

That got escaped via htmlspecialchars in VariablesViewHelper but after being rendered the properly escaped HTML was again turned into a working HTML-injection by the last line (html_entity_decode).

Can you possibly confirm the issue and explain why there is a html_entity_decode at all in this place?

powermail/Classes/ViewHelpers/Misc/VariablesViewHelper.php

Line 68 in d447452

return html_entity_decode($parseObject->render(), ENT_QUOTES, 'UTF-8');

The environment that this happens in (unfortunately) still is a TYPO3 v11 with powermail 10.9.2 (last compatible with v11). But the code in master seems like nothing changed in this regard.

[mschwemer]

This is not possible in the default configuration.

If integrators and editors use additional viewhelpers and / or customize templates, they know what they do.

So this is no powermail issue.