This project has moved. For the latest updates, please go here.
1
Vote

Crash with javascript present in email

description

Papercut consistently crashes if there is javascript present that displays an alert box. It might crash under other script circumstances, like changes to the DOM, but that doesn't matter as much to me.

I can't be sure, but it seems like it might actually be un-HTML-encoding the HTML body before displaying? We are sending emails to ourselves that contain all the server variables printed out, which can include query string and form values. I'm currently testing XSS issues and purposely placing script values into query string and form fields. Although we are HTML encoding the output for the email body, it doesn't seem to stop Papercut from attempting to run the script tags and their content.

Whether you fix the way it HTML decodes so it doesn't run those script tags, or find a way to prevent it from executing script, I'm not sure of the appropriate choice there. It may be using a standard browser engine to display, so maybe it cannot shut down script execution.
A test case would be to create an HTML email, and HTML-encode a script tag in the HTML body containing a javascript line to display an alert box.

comments