You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New Project Website - The Mail Archiver now has a new dedicated project website at mail-archiver.org
Support for personal Microsoft Accounts Added - Adds OAuth2 IMAP support for personal Microsoft accounts (Outlook.com / M365 Family / Hotmail). Thanks to @XtraLarge !
Per-Account Storage Display - Shows database storage usage per account in the Dashboard "Account Overview" table and the MailAccounts "Show All" table.
⚙️ Improvements
Mail Account Create / Edit / Details UX - Restructured all three pages into visual sections with headers and icons
Folder Exclusion Toggle - Folder badges on the Edit page are now toggleable (click to add, click again to remove) and use semicolon separators matching the server-side parser.
User Create / Edit UX - Restructured both pages into visual sections with headers and icons
Dashboard Visual Polish - Modern gradient stat cards with count-up animation on load
UI Table Harmonization - Unified table styling across Emails, MailAccounts, Users, Jobs, and Logs index pages
🐛 Bug Fixes
Localized Strings Encoding in JavaScript - Localized strings (e.g. French "Tâche d'arrière-plan") were HTML-encoded by Razor when emitted inside <script> blocks, causing entities like ' to appear verbatim in the UI.
Stored XSS via Email HTML Body - Replaced the bypassable regex-based HTML sanitizer in the email viewer with an allowlist-based sanitizer (Ganss.HtmlSanitizer).
IDOR on Email Deletion - Emails/Delete and Emails/DeleteSelected previously only required the SelfManager role, allowing a SelfManager to delete emails belonging to accounts they are not authorized for by guessing/enumerating email IDs.
2FA Session Fixation - The ASP.NET Core session was not regenerated after successful password verification, enabling a session-fixation attack (CWE-384) where an attacker who planted a session cookie pre-login could inherit the post-2FA authenticated state.