Interesting article - it’ll be fun to see if jmap gets more up-take. Curious about this:
someone very helpfully suggested just wrapping the plain text email in a tag to protect against XSS.
Seems to imply an embedded end tag will be escaped? Maybe xml/html entities and tags are escaped - but the how would css be included in the first place?
Just came back to this and it makes no sense - did your comment get edited or was I incoherent last night? When I wrote my reply I was looking at something about pre tags.
If you’re rendering “plain text” - the only way I see for in-line css, is css in a html tag. If you’re parsing tags, couldn’t someone just close the pre-tag and inject html/css?
Interesting article - it’ll be fun to see if jmap gets more up-take. Curious about this:
Seems to imply an embedded end tag will be escaped? Maybe xml/html entities and tags are escaped - but the how would css be included in the first place?
Inline CSS, presumably?
A) I don’t think this is true, and B) her final code doesn’t use it (Vue does its own escaping).
Just came back to this and it makes no sense - did your comment get edited or was I incoherent last night? When I wrote my reply I was looking at something about
pretags.If you’re rendering “plain text” - the only way I see for in-line css, is css in a html tag. If you’re parsing tags, couldn’t someone just close the pre-tag and inject html/css?
Related (sub) thread at that other site: https://news.ycombinator.com/item?id=24218765