Open massar opened 7 years ago
For the emails we sent out, make sure there is no (valid) HTML in them.
While we do not set the content to HTML, likely quite a few mail clients will just render it as HTML.
Thus at minimum we should never allow '<' and '>' in any fields that we render as email, so that no HTML tags can be formed.
See amongst others:
http://lcamtuf.coredump.cx/postxss/ https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html
For the emails we sent out, make sure there is no (valid) HTML in them.
While we do not set the content to HTML, likely quite a few mail clients will just render it as HTML.
Thus at minimum we should never allow '<' and '>' in any fields that we render as email, so that no HTML tags can be formed.
See amongst others:
http://lcamtuf.coredump.cx/postxss/ https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html