mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-07-15 14:22:28 -05:00
User-controlled fields rendered into notification emails (task title via the conversational header, comment and description bodies) were sanitized with a bluemonday UGCPolicy that permits remote <img> sources. An attacker with write access to a shared project could therefore inject an external image that acts as a tracking pixel in a subscriber's inbox, leaking email-open time and IP. Restrict notification-email images to inline data URIs (used by avatars) by adding a RewriteSrc hook that blanks any non-data image src. The policy was duplicated in three places, so extract it into newNotificationSanitizer. Refs GHSA-2vr2-r3qw-rjvq