postal

مراية لـ https://github.com/postalserver/postal.git تم المزامنة 2026-05-31 04:35:42 +00:00

Adam Cooke cad2aa6808 fix(messages): sandbox rendered email HTML as extra XSS defence

The app-wide CSP already blocks inline script execution, but the HTML
preview iframe for a stored email was same-origin and un-sandboxed, and
the html_raw response had no per-action hardening. Add a sandbox on the
iframe and tighten the CSP on html_raw to script-src 'none' with
nosniff and no-referrer so the preview has defence in depth against a
future CSP bypass or regression.

Relates to GHSA-f6g9-8555-cw28.

2026-04-24 22:12:27 +01:00

.github

chore: upgrade to rails 7.1 and ruby 3.4 (#3457 )

2025-10-01 16:42:39 +01:00

app

fix(messages): sandbox rendered email HTML as extra XSS defence

2026-04-24 22:12:27 +01:00

bin

feat: add "postal:update" task

2024-03-04 21:01:31 +00:00

config

chore: upgrade to rails 7.1 and ruby 3.4 (#3457 )

2025-10-01 16:42:39 +01:00

feat: openid connect support (#2873 )

2024-03-12 17:40:07 +00:00

doc/config

fix: oidc scopes are invalid when concatenated (#3332 )

2025-05-08 07:51:46 +01:00

docker

feat: new configuration system (and schema) (#2819 )

2024-02-26 12:41:57 +00:00

lib

fix: update url for v2 config (#3225 )

2025-10-03 09:40:22 +01:00

log

initial commit from appmail

2017-04-19 13:07:25 +01:00

public

initial commit from appmail

2017-04-19 13:07:25 +01:00

resource

chore: remove old example messages

2024-01-30 08:38:06 +00:00

script

fix: fix postal version command

2024-06-20 14:27:18 +01:00

spec

fix(messages): sandbox rendered email HTML as extra XSS defence

2026-04-24 22:12:27 +01:00

tmp

initial commit from appmail

2017-04-19 13:07:25 +01:00

vendor/assets

initial commit from appmail

2017-04-19 13:07:25 +01:00

.dockerignore

build: add postal ./bin to path and set config root in container

2021-07-29 16:47:23 +00:00

.gitignore

chore: ignore node modules and yarn.lock

2026-04-24 21:34:57 +01:00

.release-please-manifest.json

chore(main): release 3.3.5 (#3208 )

2026-02-01 14:55:42 +00:00

.rubocop.yml

style(rubocop): Style/TrailingCommaInArrayLiteral

2024-03-12 11:45:44 +00:00

.ruby-version

chore: upgrade to rails 7.1 and ruby 3.4 (#3457 )

2025-10-01 16:42:39 +01:00

CHANGELOG.md

chore(main): release 3.3.5 (#3208 )

2026-02-01 14:55:42 +00:00

config.ru

feat: new configuration system (and schema) (#2819 )

2024-02-26 12:41:57 +00:00

CONTRIBUTING.md

feat: new configuration system (and schema) (#2819 )

2024-02-26 12:41:57 +00:00

docker-compose.yml

chore: remove version from docker-compose.yml

2025-10-02 14:38:42 +01:00

Dockerfile

chore(dockerfile): reduce container size

2025-10-01 18:12:26 +01:00

Gemfile

fix(health_server): use rackup handler instead of rack handler

2025-10-01 18:12:26 +01:00

Gemfile.lock

chore: upgrade resolv to 0.6.2

2025-10-02 14:39:27 +01:00

MIT-LICENCE

chore: update MIT-LICENCE

2024-03-04 13:48:33 +00:00

Procfile.dev

feat: new configuration system (and schema) (#2819 )

2024-02-26 12:41:57 +00:00

Rakefile

style(rubocop): Layout/EmptyLineAfterMagicComment

2024-02-10 17:18:23 +00:00

README.md

docs: update readme

2024-03-04 14:28:04 +00:00

release-please-config.json

chore: update release please to include more categories in changelog

2024-01-30 09:03:08 +00:00

SECURITY.md

docs: update SECURITY policy

2024-02-23 22:51:37 +00:00

README.md

Postal is a complete and fully featured mail server for use by websites & web servers. Think Sendgrid, Mailgun or Postmark but open source and ready for you to run on your own servers.

Documentation
Installation Instructions
FAQs & Features
Discussions - ask for help or request a feature
Join us on Discord

اللغات

Ruby 70.9%

Haml 14.8%

omnetpp-msg 6.2%

SCSS 6%

CoffeeScript 0.8%

أخرى 1.3%