mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-07 12:37:14 -05:00
0f3730d045
Task titles, project titles, team names, doer/assignee names, and API token titles were interpolated raw into Line(...) calls whose content is rendered to HTML by goldmark and then sanitized with bluemonday UGCPolicy. UGCPolicy intentionally allows safe <a href> and <img src> with http/https URLs, so a title containing Markdown link or image syntax would survive sanitization as a working phishing link or tracking pixel in a legitimate Vikunja email. Introduce notifications.EscapeMarkdown, which prefixes every CommonMark §2.4 backslash-escapable ASCII punctuation character — including '<' so autolinks like `<https://evil.com>` are neutralized before reaching goldmark — with a backslash. Apply it to every user-controlled argument of every Line(...) call in pkg/models that feeds into an i18n template, and to the hand-built "* [title](url) (project)" Markdown link in the overdue-tasks digest notification. Also escape the migration error string in MigrationFailedNotification, an additional sink not listed in the advisory (error messages can carry user-controlled content from the external migration source). Subject(...), Greeting(...), and CreateConversationalHeader(...) are left unchanged: Subject is passed directly to the mail library and is not markdown-rendered, Greeting is rendered via html/template's built-in HTML escaping without markdown, and the conversational header is sanitized as raw HTML by bluemonday in mail_render.go. Fixes GHSA-45q4-x4r9-8fqj.
