Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue - placeholder #1869

martini opened this issue Mar 12, 2018 · 0 comments


Copy link

commented Mar 12, 2018


  • Used Zammad version: 2.2.1 and higher
  • Installation method (source, package, ..): any
  • Operating system: any
  • Database + version: any
  • Elasticsearch version: any
  • Browser + version: any

@ValtteriL ( reported and XSS issue. The content of this issue will be public after the issue is solved.

Expected behavior:

  • HTML quoting of all params.

Actual behavior:

  • The subject of emails is not html quoted in certain cases.

Steps to reproduce the behavior:

  • Send an email with following subject into the system: '> <script>alert(1);</script>

The related change/fix is here 17aa655#diff-9e922c280daaee1ae1875844d3453145

@martini martini added the verified label Mar 12, 2018

@martini martini added this to the 2.2.2 milestone Mar 12, 2018

@martini martini self-assigned this Mar 12, 2018

@martini martini closed this Apr 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.