Describe the bug
Email HTML rendering (view/html.go, clib/htmlconv) converts HTML to terminal-safe output, but the sanitization pipeline may not catch all edge cases:
- SVG-based XSS vectors may survive if SVG tags are partially parsed
- CSS expressions in inline styles could contain escape sequences
- HTML entities in attribute values may not be fully decoded before filtering
- Nested encoding (HTML entity inside URL encoding) could bypass filters
To reproduce
Requires crafting specific HTML payloads targeting the rendering pipeline.
Expected behavior
- Use allowlist-based HTML tag/attribute filtering
- Decode all encoding layers before filtering
- Strip all event handlers and script-related attributes
- Add fuzz testing for HTML sanitizer
Describe the bug
Email HTML rendering (view/html.go, clib/htmlconv) converts HTML to terminal-safe output, but the sanitization pipeline may not catch all edge cases:
To reproduce
Requires crafting specific HTML payloads targeting the rendering pipeline.
Expected behavior