There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
I can't be sure, but it seems like it might actually be un-HTML-encoding the HTML body before displaying? We are sending emails to ourselves that contain all the server variables printed out, which can include query string and form values. I'm currently testing
XSS issues and purposely placing script values into query string and form fields. Although we are HTML encoding the output for the email body, it doesn't seem to stop Papercut from attempting to run the script tags and their content.
Whether you fix the way it HTML decodes so it doesn't run those script tags, or find a way to prevent it from executing script, I'm not sure of the appropriate choice there. It may be using a standard browser engine to display, so maybe it cannot shut down