1. 57
    1. 1

      Interesting article - it’ll be fun to see if jmap gets more up-take. Curious about this:

      someone very helpfully suggested just wrapping the plain text email in a tag to protect against XSS.

      Seems to imply an embedded end tag will be escaped? Maybe xml/html entities and tags are escaped - but the how would css be included in the first place?

      1. 1

        Inline CSS, presumably?

        1. 1

          A) I don’t think this is true, and B) her final code doesn’t use it (Vue does its own escaping).

          1. 1

            Just came back to this and it makes no sense - did your comment get edited or was I incoherent last night? When I wrote my reply I was looking at something about pre tags.

        2. 1

          If you’re rendering “plain text” - the only way I see for in-line css, is css in a html tag. If you’re parsing tags, couldn’t someone just close the pre-tag and inject html/css?

        3. 1

          Related (sub) thread at that other site: https://news.ycombinator.com/item?id=24218765