Fix(Security): Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)

This closes a security hole whereby a bad actor with SMTP access can bypass the CSP headers with a series of specially crafted HTML messages. A special thanks to @bmodotdev for responsibly disclosing the vulnerability and proving information and an initial fix.
2026-03-03 03:57:01 +00:00 · 2024-07-26 22:02:14 +12:00
parent 9e881ea868
commit a078c318e8
5 changed files with 114 additions and 14 deletions
--- a/package.json
+++ b/package.json
@@ -15,6 +15,7 @@
    "bootstrap5-tags": "^1.6.1",
    "color-hash": "^2.0.2",
    "dayjs": "^1.11.10",
+    "dompurify": "^3.1.6",
    "ical.js": "^2.0.1",
    "modern-screenshot": "^4.4.30",
    "prismjs": "^1.29.0",