[Email] Email log: do not allow script/iframe execution in preview wi…

…ndow
pimcore · Oct 30, 2019 · e0b48fa · e0b48fa
1 parent 30a9111
commit e0b48fa
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/bundles/AdminBundle/Controller/Admin/EmailController.php b/bundles/AdminBundle/Controller/Admin/EmailController.php
@@ -133,7 +133,9 @@ public function showEmailLogAction(Request $request, ?Profiler $profiler)
 
             return new Response('<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><style>body{background-color:#fff;}</style></head><body><pre>' . $templatingEnginePhp->escape($emailLog->getTextLog()) . '</pre></body></html>');
         } elseif ($request->get('type') == 'html') {
-            return new Response($emailLog->getHtmlLog());
+            return new Response($emailLog->getHtmlLog(), 200, [
+                'Content-Security-Policy' => "default-src 'self'; style-src 'self' 'unsafe-inline'"
+            ]);
         } elseif ($request->get('type') == 'params') {
             try {
                 $params = $this->decodeJson($emailLog->getParams());