XSS in Body Mail - Githubissues

nedimf / maildroid

Maildroid is a small robust android library for sending emails using SMTP server

188 stars 24 forks source link

XSS in Body Mail #21

Closed rezaduty closed 4 years ago

rezaduty commented 4 years ago

Describe the bug inject <h1 onload=alert(document.cookie)>Hello World!</h1> and trigged on load element and get cookies

Desktop:

OS: Linux
Browser Chrome
Version 80.0.3987.163

Smartphone:

Device: Pixel2
OS: Android 9
Browser Chrome
Version 80.0.3987.162

Additional context

https://portswigger.net/web-security/cross-site-scripting

nedimf commented 4 years ago

We can only prevent this by using some type of wrapper/checker because this is not library problem more JavaMailAPI which handles sending email. I'm aware of XSS but inline HTML XSS I'm not sure how to fix that. I'll have a look and post a commit. Thank you for letting me know @rezaduty .

nedimf commented 4 years ago

Doing careful consideration, I figured that this should not be part of the library it self. It's on email client to parse email body with potential javascript in it. Although I did add isJavascriptEnabled , to handle that javascript parsing, problem is that it only allows HTML tags. So inline CSS is not supported. Even doing CSS in <style> can cause parsing problem. E-mail will be sent successfully but HTML layout of email will be potentially distorted.