Closed ETrivedi10 closed 5 years ago
Hi Ekta! Thanks for reporting this :)
I think this is just a matter of adding the sandbox property to the iframe. I just did a quick test locally and it does stop it - The console then says
"Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.".
Might not be much effort to add this and cut a point release. @tsneed290 any gotchas that you can think of if I add this attr?
I think that's a great solution, thanks for jumping on this so fast!
Fixed in release 2.0.1
Question/Issue Overview
Holdmail showing xss script
Expected Behavior
Should validate input values upon creation of user
Current Behavior
Registration email notification when clicked on it, it displays XSS script
What its actually doing, and why this doesn't match your expectations
Reproducible Sequence
Additional Information
Anything relevant to help us resolving the problem. For example if you are sending email, include any response codes in Holdmail, any log messages you receive, or screenshots of rendering issues.![holdmail xxx script](https://user-images.githubusercontent.com/43281342/45573211-53aa3b00-b85b-11e8-8243-ba870942ab56.png)
For long outputs such as stacktraces please use HTML5
<details>