0005710: HTML in the subject line is not escaped and displayed - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0005710	SOGo	GUI	public	2023-03-13 13:43	2023-10-09 08:01

Reporter	hexmode	Assigned To
Priority	normal	Severity	major	Reproducibility	have not tried
Status	new	Resolution	open
Platform	[Server] Linux	OS	Debian	OS Version	8 (Jessie)
Product Version	5.8.0

Summary	0005710: HTML in the subject line is not escaped and displayed
Description	I recceived an email today with `<br />` in the subject line. In SOGo, the subject line was displayed as ``. Using my browser's debugging tools I found the following: <button class="md-no-style md-button md-ink-ripple" type="button" ng-transclude="" ng-click="mailbox.selectMessage(currentMessage)" aria-label="[Wikitech-l] Re: VisualEditor inserting "><div class="md-ripple-container" style=""></div></button> In another mail reader, the subject was properly displayed as [Wikitech-l] Re: VisualEditor inserting `<br />`
Steps To Reproduce	Send an email with "<br />" in the subject line.
Additional Information	SOGo should escape the subject line so that it can be used as an attribute to an HTML element.
Tags	No tags attached.

Date Modified	Username	Field	Change
2023-03-13 13:43	hexmode	New Issue
2023-10-09 08:01	sebastien	Note Added: 0017347

sebastien 2023-10-09 08:01 administrator ~0017347	Since 5.8.0, the html tags are removed from title to avoid XSS injection. This is rough but more secure. Sebastien