Sec: Fix CVE-2022-29360 XSS vulnerability

[sadsfae]

• PR including the XSS patch for CVE-2022-29360

(patch credit)

• https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29360

[Neustradamus]

@RainLoop: Can you look?

[nerzhul]

project seems dead author or company just resigned :(

[Neustradamus]

Please use SnappyMail from @the-djmaze, we can thanks for this work!

• https://snappymail.eu/
• https://github.com/the-djmaze/snappymail/

Please note that SnappyMail supports SCRAM-SHA-* for connection, very good security:

• https://github.com/the-djmaze/snappymail/issues/182
• https://github.com/the-djmaze/snappymail/blob/master/snappymail/v/0.0.0/app/libraries/RainLoop/Model/Account.php

Linked to:

• https://github.com/RainLoop/rainloop-webmail/issues/2185
• https://github.com/RainLoop/rainloop-webmail/pull/2183
• https://github.com/RainLoop/rainloop-webmail/issues/2180
• https://github.com/RainLoop/rainloop-webmail/issues/2162
• https://github.com/RainLoop/rainloop-webmail/issues/2142
• https://github.com/RainLoop/rainloop-webmail/issues/2134
• https://github.com/RainLoop/rainloop-webmail/issues/1831

[RainLoop]

Fixed

[Neustradamus]

@RainLoop: Where is the fix?

[RainLoop]

https://github.com/RainLoop/rainloop-webmail/pull/2187 https://github.com/RainLoop/rainloop-webmail/pull/2187/files#diff-22b1d644ea4075b18f15da66d7f277924b8df180700f379cb6eef964a9736c07R242

[sadsfae]

Welcome back @RainLoop

[ShamimIslam]

This issue is fixed. Let's back off from the hype. The replacement body item is now random hash. Thanks. v0.17 does not have this.