Skip to content

Fix html injection in formatToHtml#28

Open
ulidtko wants to merge 1 commit into
mgeeky:mainfrom
ulidtko:fix/html-export-quoting
Open

Fix html injection in formatToHtml#28
ulidtko wants to merge 1 commit into
mgeeky:mainfrom
ulidtko:fix/html-export-quoting

Conversation

@ulidtko

@ulidtko ulidtko commented Mar 11, 2025

Copy link
Copy Markdown

Cześć @mgeeky ! Thanks for this script, super useful. 🙏

A simple drive-by fix here, in html export:

  • If the sample under analysis contains a full-blown <html>...</html> blob — interpolating it right into the output report html is not good enough; it should go through html.escape() first.

Otherwise, contents of email sample bleed out of the Original SMTP Headers spoiler, wrecking the report:

image

And on the same sample, fixed:

image

Hoping for easy merge, HTH

ulidtko
ulidtko commented Mar 11, 2025
View reviewed changes
Comment thread decode-spam-headers.py
</code>
<code><pre>
{escape(headers)}
</pre></code>

@ulidtko ulidtko Mar 11, 2025

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The added wrapping into <pre> allows to simply ditch the \n<br/>\n shenanigans — within <pre>, the contained (html-escaped) html blob will render as-is.

ulidtko added a commit to ulidtko/decode-spam-headers that referenced this pull request Dec 16, 2025
@ulidtko
fix: html injection in formatToHtml
8990c8a 
Cherry-pick of still-standing PR mgeeky#28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ulidtko