User-controlled fields rendered into notification emails (task title via the conversational header, comment and description bodies) were sanitized with a bluemonday UGCPolicy that permits remote <img> sources. An attacker with write access to a shared project could therefore inject an external image that acts as a tracking pixel in a subscriber's inbox, leaking email-open time and IP. Restrict notification-email images to inline data URIs (used by avatars) by adding a RewriteSrc hook that blanks any non-data image src. The policy was duplicated in three places, so extract it into newNotificationSanitizer. Refs GHSA-2vr2-r3qw-rjvq |
||
|---|---|---|
| .. | ||
| database.go | ||
| db.go | ||
| events.go | ||
| logo.png | ||
| mail.go | ||
| mail_render.go | ||
| mail_test.go | ||
| main_test.go | ||
| markdown_escape.go | ||
| markdown_escape_test.go | ||
| notification.go | ||
| notification_test.go | ||
| notify_disabled_test.go | ||
| testing.go | ||