From f78fbc7401950eb90dd1fec529f65fe5bf3d1b2c Mon Sep 17 00:00:00 2001
From: Volker Schukai <volker.schukai@schukai.com>
Date: Thu, 3 Jul 2025 14:17:43 +0200
Subject: [PATCH] fix: Add HTML escaping for message headers to prevent XSS
Summary of changes
- Added an `escapeHTML` function to sanitize header values.
- Updated the rendering of list items in message headers to use the `escapeHTML` function.
Reasoning for changes:
- Introduced an `escapeHTML` method to protect against potential cross-site scripting (XSS) attacks by encoding special HTML characters in message headers.
- Ensured that any content displayed in the application is treated as plain text, preventing malicious scripts from being executed through user-generated content.
- Improved overall security of the message rendering process in `message.mjs`.
---
source/components/content/viewer/message.mjs | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/source/components/content/viewer/message.mjs b/source/components/content/viewer/message.mjs
index 7e19dd4f..3b518179 100644
--- a/source/components/content/viewer/message.mjs
+++ b/source/components/content/viewer/message.mjs
@@ -193,6 +193,15 @@ class MessageContent extends CustomElement {
this.setOption("message.subject", message?.subject || null);
this.setOption("message.messageID", message?.messageID || null);
+ function escapeHTML(str) {
+ return str
+ .replace(/&/g, "&")
+ .replace(/</g, "<")
+ .replace(/>/g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+ }
+
const headers = [];
for (const [key, value] of Object.entries(message?.headers || {})) {
if (key && value) {
@@ -200,7 +209,8 @@ class MessageContent extends CustomElement {
if (isArray(valueString)) {
valueString = "<ul>";
for (const item of value) {
- valueString += `<li>${item}</li>`;
+ const escapedItem = escapeHTML(item);
+ valueString += `<li>${escapedItem}</li>`;
}
valueString += "</ul>";
}
--
GitLab