Task titles, project titles, team names, doer/assignee names, and API token titles were interpolated raw into Line(...) calls whose content is rendered to HTML by goldmark and then sanitized with bluemonday UGCPolicy. UGCPolicy intentionally allows safe <a href> and <img src> with http/https URLs, so a title containing Markdown link or image syntax would survive sanitization as a working phishing link or tracking pixel in a legitimate Vikunja email. Introduce notifications.EscapeMarkdown, which prefixes every CommonMark §2.4 backslash-escapable ASCII punctuation character — including '<' so autolinks like `<https://evil.com>` are neutralized before reaching goldmark — with a backslash. Apply it to every user-controlled argument of every Line(...) call in pkg/models that feeds into an i18n template, and to the hand-built "* [title](url) (project)" Markdown link in the overdue-tasks digest notification. Also escape the migration error string in MigrationFailedNotification, an additional sink not listed in the advisory (error messages can carry user-controlled content from the external migration source). Subject(...), Greeting(...), and CreateConversationalHeader(...) are left unchanged: Subject is passed directly to the mail library and is not markdown-rendered, Greeting is rendered via html/template's built-in HTML escaping without markdown, and the conversational header is sanitized as raw HTML by bluemonday in mail_render.go. Fixes GHSA-45q4-x4r9-8fqj. |
||
|---|---|---|
| .claude | ||
| .github | ||
| .vscode | ||
| .zed | ||
| build | ||
| contrib | ||
| desktop | ||
| examples/plugins/example | ||
| frontend | ||
| pkg | ||
| rest | ||
| .devcontainer.json | ||
| .dockerignore | ||
| .editorconfig | ||
| .envrc | ||
| .gitignore | ||
| .golangci.yml | ||
| .opensourcefinder-verify | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| CONTRIBUTING.md | ||
| CRUSH.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| code-header-template.txt | ||
| conductor.json | ||
| config-raw.json | ||
| crowdin.yml | ||
| devenv.lock | ||
| devenv.nix | ||
| devenv.yaml | ||
| go.mod | ||
| go.sum | ||
| magefile.go | ||
| main.go | ||
| nfpm.yaml | ||
| publiccode.yml | ||
| renovate.json | ||
| tsconfig.json | ||
| vikunja.initd | ||
| vikunja.service | ||
README.md
Vikunja
The Todo-app to organize your life.
If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.
Table of contents
Security Reports
If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.
Features
See the features page on our website for a more exhaustive list or try it on try.vikunja.io!
Docs
All docs can be found on the Vikunja home page.
Roadmap
See the roadmap (hosted on Vikunja!) for more!
Contributing
Please check out the contribution guidelines on the website.
License
Most of this repository is licensed under AGPL‑3.0‑or‑later.
The contents of desktop/ are licensed under
GPL‑3.0‑or‑later.
Unsplash Images
Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplash’s terms for more information.