Do HTML escaping in strings that may cause cross-site scripting on various components

Description

Strings arriving from emails (such as senders, recipients, subjects, attachment names) or user properties (such as display name) may contain intentionally crafted html/javascript code to cause cross-site scripring.
These strings must all be html encoded before rendering to avoid execution of such code, and ensure that text is just visualized.
This must be done explicitly on various components, such as grids, combos, lists and message preview, because Sencha Ext GUI library does not do it automatically.

Activity

Show:

Done

Pinned fields

Click on the next to a field label to start pinning.

Details
Assignee
Gabriele Bulfon
Reporter
Luca Gasparini
Affects Version
5.18.2
Fix Branch
release
Fix Version
5.19.1
Release Version
wt-5.24.0
WAR ##
0655
Components
Priority
Highest

Created May 8, 2024 at 1:58 PM

Updated May 20, 2024 at 2:51 PM

Resolved May 20, 2024 at 6:05 AM

Configure

Do HTML escaping in strings that may cause cross-site scripting on various components

Description

Activity

DetailsAssigneeGabriele BulfonGabriele BulfonReporterLuca GaspariniLuca GaspariniAffects Version5.18.2Fix BranchreleaseFix Version5.19.1Release Versionwt-5.24.0WAR ##0655ComponentsPriorityHighest

Details

Assignee

Reporter

Affects Version

Fix Branch

Fix Version

Release Version

WAR ##

Components

Priority

Details
Assignee
Gabriele Bulfon
Reporter
Luca Gasparini
Affects Version
5.18.2
Fix Branch
release
Fix Version
5.19.1
Release Version
wt-5.24.0
WAR ##
0655
Components
Priority
Highest