Vote #66631
完了HTML part of issue mails is not properly escaped
0%
説明
The link to the issue in the HTML part of issue mails is not properly escaped. If a user inserts HTML tags into the issue subject, it is inserted unescaped into the email body which at least destroys the rendering or at worst allows sophistcated phishing attacks using specifically crafted issue subjects.
The attached patch against Redmine trunk (r3434) fixes this.
journals
Done in r3452 with a few more fixes.
--------------------------------------------------------------------------------
Merged in 0.9-stable in r3462.
--------------------------------------------------------------------------------
related_issues
duplicates,Closed,5178,<pre> tag in subject disrupts HTML email