1. 57
  1.  

  2. 1

    Interesting article - it’ll be fun to see if jmap gets more up-take. Curious about this:

    someone very helpfully suggested just wrapping the plain text email in a tag to protect against XSS.

    Seems to imply an embedded end tag will be escaped? Maybe xml/html entities and tags are escaped - but the how would css be included in the first place?

    1. 1

      Inline CSS, presumably?

      1. 1

        A) I don’t think this is true, and B) her final code doesn’t use it (Vue does its own escaping).

        1. 1

          Just came back to this and it makes no sense - did your comment get edited or was I incoherent last night? When I wrote my reply I was looking at something about pre tags.

        2. 1

          If you’re rendering “plain text” - the only way I see for in-line css, is css in a html tag. If you’re parsing tags, couldn’t someone just close the pre-tag and inject html/css?

          1. 1

            Related (sub) thread at that other site: https://news.ycombinator.com/item?id=24218765