Official Vikunja import
Go to file
kolaente 0f3730d045 fix(notifications): escape markdown in user-controlled strings in email lines
Task titles, project titles, team names, doer/assignee names, and API
token titles were interpolated raw into Line(...) calls whose content is
rendered to HTML by goldmark and then sanitized with bluemonday UGCPolicy.
UGCPolicy intentionally allows safe <a href> and <img src> with
http/https URLs, so a title containing Markdown link or image syntax
would survive sanitization as a working phishing link or tracking pixel
in a legitimate Vikunja email.

Introduce notifications.EscapeMarkdown, which prefixes every CommonMark
§2.4 backslash-escapable ASCII punctuation character — including '<' so
autolinks like `<https://evil.com>` are neutralized before reaching
goldmark — with a backslash. Apply it to every user-controlled argument
of every Line(...) call in pkg/models that feeds into an i18n template,
and to the hand-built "* [title](url) (project)" Markdown link in the
overdue-tasks digest notification.

Also escape the migration error string in MigrationFailedNotification,
an additional sink not listed in the advisory (error messages can carry
user-controlled content from the external migration source).

Subject(...), Greeting(...), and CreateConversationalHeader(...) are
left unchanged: Subject is passed directly to the mail library and is
not markdown-rendered, Greeting is rendered via html/template's built-in
HTML escaping without markdown, and the conversational header is
sanitized as raw HTML by bluemonday in mail_render.go.

Fixes GHSA-45q4-x4r9-8fqj.
2026-04-09 15:44:04 +00:00
.claude chore(dev): add prepare worktree command to mage 2026-01-24 18:32:23 +01:00
.github fix(ci): use actual docker meta tags for preview comment SHA links 2026-04-07 15:05:48 +00:00
.vscode feat(dev): add frontend and api to launch config 2025-06-19 14:54:08 +02:00
.zed fix(dev): zed frontend task 2025-06-26 12:32:04 +02:00
build fix(release): use openrc for alpine (#1016) 2025-06-25 10:40:11 +00:00
contrib feat: improve clean-translations script (#964) 2025-06-16 19:31:41 +00:00
desktop fix(deps): update lodash to 4.18.1 2026-04-07 15:38:52 +02:00
examples/plugins/example feat(plugins): add example plugin 2026-03-30 20:44:46 +00:00
frontend fix(deps): bump basic-ftp override to 5.2.1 to patch CRLF injection 2026-04-09 15:34:00 +02:00
pkg fix(notifications): escape markdown in user-controlled strings in email lines 2026-04-09 15:44:04 +00:00
rest chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
.devcontainer.json chore(dev): use latest devenv docker container for devcontainer 2025-07-02 20:17:29 +02:00
.dockerignore Revert "feat: improve docker layers (#803)" 2025-05-21 10:18:57 +02:00
.editorconfig chore(dev): insert final newline 2025-05-23 11:56:50 +02:00
.envrc chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
.gitignore chore: add plans/ directory to .gitignore 2026-03-30 20:12:25 +00:00
.golangci.yml feat(plugins): extract third-party symbols for yaegi 2026-03-30 20:44:46 +00:00
.opensourcefinder-verify chore: add opensourcefinder verification 2026-02-26 17:12:26 +01:00
AGENTS.md docs: instruct agents to save test output instead of re-running tests 2026-02-25 09:22:14 +01:00
CHANGELOG.md chore: v2.2.2 release preparations 2026-03-23 21:49:15 +01:00
CLAUDE.md docs: add AGENTS.md file with instructions for AI coding agents 2025-06-10 14:23:55 +02:00
CONTRIBUTING.md docs: rewrite CONTRIBUTING.md with setup, workflow, and style guides 2026-03-24 21:33:55 +01:00
CRUSH.md docs: add link for crus coding agent instructions 2025-08-01 16:52:30 +02:00
Dockerfile fix: ensure /tmp is writable by container user in Docker image 2026-03-10 23:20:58 +01:00
LICENSE fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
README.md chore: v2.2.2 release preparations 2026-03-23 21:49:15 +01:00
cliff.toml fix: add \n between scoped and unscoped commits in git cliff config 2024-11-08 11:19:50 +01:00
code-header-template.txt fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
conductor.json chore(dev): add conductor config 2025-12-07 23:02:19 +01:00
config-raw.json feat(plugins): add plugin config options 2026-03-30 20:44:46 +00:00
crowdin.yml chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00
devenv.lock chore(dev): update devenv 2026-03-09 00:27:51 +01:00
devenv.nix feat: migrate cypress e2e tests to playwright (#1739) 2025-11-27 16:34:48 +01:00
devenv.yaml feat: switch from nix flakes to devenv 2024-08-12 12:17:31 +02:00
go.mod chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 2026-04-08 09:17:26 +00:00
go.sum chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 2026-04-08 09:17:26 +00:00
magefile.go feat: update publiccode.yml automatically during release 2026-04-08 09:26:17 +00:00
main.go fix: correct license header references (#882) 2025-06-10 12:18:38 +02:00
nfpm.yaml fix(release): use openrc for alpine (#1016) 2025-06-25 10:40:11 +00:00
publiccode.yml fix: update publiccode.yml to current version v2.2.2 2026-04-08 09:26:17 +00:00
renovate.json chore(renovate): group playwright npm package and docker image together 2026-02-11 09:56:20 +01:00
tsconfig.json fix: correct trailing comma in tsconfig (#970) 2025-06-26 12:30:24 +00:00
vikunja.initd fix(release): use openrc for alpine (#1016) 2025-06-25 10:40:11 +00:00
vikunja.service chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00

README.md

Build Status License: AGPL-3.0-or-later Install Docker Pulls Swagger Docs Go Report Card

Vikunja

The Todo-app to organize your life.

If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.

Table of contents

Security Reports

If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.

Features

See the features page on our website for a more exhaustive list or try it on try.vikunja.io!

Docs

All docs can be found on the Vikunja home page.

Roadmap

See the roadmap (hosted on Vikunja!) for more!

Contributing

Please check out the contribution guidelines on the website.

License

Most of this repository is licensed under AGPL3.0orlater. The contents of desktop/ are licensed under GPL3.0orlater.

Unsplash Images

Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplashs terms for more information.