Adam Cooke cad2aa6808 fix(messages): sandbox rendered email HTML as extra XSS defence ...

The app-wide CSP already blocks inline script execution, but the HTML
preview iframe for a stored email was same-origin and un-sandboxed, and
the html_raw response had no per-action hardening. Add a sandbox on the
iframe and tighten the CSP on html_raw to script-src 'none' with
nosniff and no-referrer so the preview has defence in depth against a
future CSP bypass or regression.

Relates to GHSA-f6g9-8555-cw28.

2026-04-24 22:12:27 +01:00

..

assets

feat: openid connect support (#2873)

2024-03-12 17:40:07 +00:00

controllers

fix(messages): sandbox rendered email HTML as extra XSS defence

2026-04-24 22:12:27 +01:00

helpers

fix(deliveries): escape delivery details to prevent HTML injection

2026-02-01 14:48:54 +00:00

lib

fix: typo in process logging (#3212)

2025-10-03 09:41:20 +01:00

mailers

fix: remove user email verification

2024-03-04 14:41:18 +00:00

models

chore: upgrade to rails 7.1 and ruby 3.4 (#3457)

2025-10-01 16:42:39 +01:00

scheduled_tasks

fix: raise NotImplementedError when no call method on a scheduled task

2024-06-20 14:27:20 +01:00

senders

fix(smtp-sender): ensure relays without a host are excluded

2024-03-21 12:33:34 +00:00

services

refactor: refactors message dequeueing (#2810)

2024-02-23 22:51:36 +00:00

util

fix(health_server): use rackup handler instead of rack handler

2025-10-01 18:12:26 +01:00

views

fix(messages): sandbox rendered email HTML as extra XSS defence

2026-04-24 22:12:27 +01:00