Skip to content

JavaScript in email not suppressed

Bug summary

I am Pentester as well as bug hunter from Bangladesh.

  • Geary version: 0.12.2-2
  • Installation method: I downloaded from website. source code
  • Your desktop: 3.28.2
  • Your operating system and version: Kali linux
  • Email provider: outlook

Steps to reproduce

  1. This is a xss on other third party website I can not give you proper code without their permission. Atleast I can tell you is it's stored xss in one of their mail. It's pop up in your app.Screenshot_from_2018_08_14_04_50_29

This is the source code:-

<strong style="color:#3d3d3d;">Admin:</strong> <span style="color:#002050;">"&gt;<img src="x" onerror="prompt(1)"> Cipher/span>

What is the current bug behavior?

It's give me xss pop

What is the expected correct behavior? I tried on thunderbird. it didn't work. I think you should fix this issue.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise. If the bug is a crash, please obtain a stack trace and attach it to this bug.)

a

Edited by Michael Gratton