odysseus

MrSphay/odysseus

Fork 0

Commit Graph

Author	SHA1	Message	Date
SurprisedDuck	7a830e504d	Escape email fold summary metadata The email reader folds quoted history into <details> summaries via `_foldSummary()` (static/js/emailLibrary/signatureFold.js), which builds a sender/date "meta" chip into the summary HTML and assigns it to innerHTML. The server-side thread parser (`_extract_quote_meta`, src/email_thread_parser.py) strips tags but then un-escapes HTML entities and preserves `<...>` patterns, and that raw meta reaches `_foldSummary` unescaped via `_renderTurnsFromServer` (`t.meta`) — so an inbound email whose quoted attribution contains `From: <img src=x onerror=...>` runs script when the victim merely opens the message (stored XSS). Make `_foldSummary` the single escaping chokepoint: escape `primary` and `subMeta` with the module's existing `_esc`. The client-side `_extractQuoteMeta` previously pre-escaped its output, and every consumer of it routes through `_foldSummary`, so drop that now-redundant escaping to avoid double-encoding (e.g. "Ben & Jerry" -> "Ben &amp; Jerry"). Verified (jsdom): server-raw and client-extracted malicious metas yield 0 live elements and 0 event-handler attributes; benign "Ben & Jerry" renders single-escaped. Co-authored-by: Claude <noreply@anthropic.com>	2026-06-02 05:50:53 +09:00
Afonso Coutinho	16d6484492	Keep Cc recipients in reply-all * fix: populate window._myEmailAddress from the active email account * fix: keep Cc recipients in reply-all when own address is empty or unknown * test: cover reply-all recipient building (issue #360)	2026-06-01 18:29:22 +09:00
pewdiepie-archdaemon	e5c99a5eee	Odysseus v1.0	2026-05-31 23:58:26 +09:00

Author

SHA1

Message

Date

SurprisedDuck

7a830e504d

Escape email fold summary metadata

The email reader folds quoted history into <details> summaries via
`_foldSummary()` (static/js/emailLibrary/signatureFold.js), which builds a
sender/date "meta" chip into the summary HTML and assigns it to innerHTML.
The server-side thread parser (`_extract_quote_meta`,
src/email_thread_parser.py) strips tags but then un-escapes HTML entities
and preserves `<...>` patterns, and that raw meta reaches `_foldSummary`
unescaped via `_renderTurnsFromServer` (`t.meta`) — so an inbound email
whose quoted attribution contains `From: &lt;img src=x onerror=...&gt;`
runs script when the victim merely opens the message (stored XSS).

Make `_foldSummary` the single escaping chokepoint: escape `primary` and
`subMeta` with the module's existing `_esc`. The client-side
`_extractQuoteMeta` previously pre-escaped its output, and every consumer
of it routes through `_foldSummary`, so drop that now-redundant escaping to
avoid double-encoding (e.g. "Ben & Jerry" -> "Ben &amp;amp; Jerry").

Verified (jsdom): server-raw and client-extracted malicious metas yield 0
live elements and 0 event-handler attributes; benign "Ben & Jerry" renders
single-escaped.

Co-authored-by: Claude <noreply@anthropic.com>

2026-06-02 05:50:53 +09:00

Afonso Coutinho

16d6484492

Keep Cc recipients in reply-all

* fix: populate window._myEmailAddress from the active email account

* fix: keep Cc recipients in reply-all when own address is empty or unknown

* test: cover reply-all recipient building (issue #360)

2026-06-01 18:29:22 +09:00

pewdiepie-archdaemon

e5c99a5eee

Odysseus v1.0

2026-05-31 23:58:26 +09:00

3 Commits