Clicking on registration email notification via holdmail, showing xss script

[ETrivedi10]

Question/Issue Overview

Holdmail showing xss script

Expected Behavior

Should validate input values upon creation of user

Current Behavior

Registration email notification when clicked on it, it displays XSS script

What its actually doing, and why this doesn't match your expectations

Reproducible Sequence

1. Add user using -- this script (Given Name, Family name)
2. send invite
3. From holdmail, click on email invite
4. Holdmail showing xss script when clicked on email notification

Additional Information

Anything relevant to help us resolving the problem. For example if you are sending email, include any response codes in Holdmail, any log messages you receive, or screenshots of rendering issues.

For long outputs such as stacktraces please use HTML5 <details>

<details>
 <summary>Summary information</summary>
 Long details go here
</details>

[barryoneill]

Hi Ekta! Thanks for reporting this :)

I think this is just a matter of adding the sandbox property to the iframe. I just did a quick test locally and it does stop it - The console then says

"Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.".

Might not be much effort to add this and cut a point release. @tsneed290 any gotchas that you can think of if I add this attr?

[tsneed290]

I think that's a great solution, thanks for jumping on this so fast!

[barryoneill]

Fixed in release 2.0.1