🔒 Security Vulnerability: Unsafe Iframe Rendering of Untrusted Email HTML #116

New Issue

MrUnknownDE · 2026-04-05T16:16:37+02:00

MrUnknownDE commented

2026-04-05 16:16:37 +02:00

Originally created by @T9C5F on 11/1/2025

Thank you to the project maintainers and contributors for building and maintaining this valuable email archiver! This issue is being opened in the spirit of collaborative improvement to enhance the security of the application.

The EmailPreview component currently renders the raw HTML body of archived emails directly inside an

*Originally created by @T9C5F on 11/1/2025* Thank you to the project maintainers and contributors for building and maintaining this valuable email archiver! This issue is being opened in the spirit of collaborative improvement to enhance the security of the application. The [EmailPreview component](https://github.com/LogicLabs-OU/OpenArchiver/blob/c2006dfa94db350a4b0e6f8c9c403f99cec6e3c0/packages/frontend/src/lib/components/custom/EmailPreview.svelte#L62) currently renders the raw HTML body of archived emails directly inside an <iframe> element without sufficient security restrictions. Since the content of an email is treated as untrusted, user-generated input, this implementation creates a direct path for Cross-Site Scripting (XSS) and allows unauthorized external resource loading. **Vulnerability and Impact** A malicious attacker could craft an email containing exploit code that, when viewed by a user, could lead to: Cross-Site Scripting (XSS): If the <iframe> is served from the same origin as the parent application, malicious JavaScript embedded in the email (e.g., via <script> tags or event handlers like onerror on an image) can be executed. This script could steal the user's session cookies, modify the parent page's DOM, or perform unauthorized actions on behalf of the user. User Tracking (Web Bugs): Malicious HTML can load external resources (images, fonts, CSS) from an attacker's server. This acts as a web bug, allowing the attacker to: - Confirm the user's email address is active. - Track the user's IP address and viewing time. - Leak the referrer header, potentially revealing application URLs. Phishing/Redirection: Unrestricted iframes can potentially navigate the top-level window, redirecting the user to a malicious phishing site. **Proposed Solution (Mandatory Mitigation)** The primary and most effective defense is to apply the sandbox attribute to the <iframe> element. The sandbox attribute applies a strict set of restrictions, isolating the untrusted content. **Recommendation**: - Block all default unsafe behaviors by using the sandbox attribute. - Sanitization: Run the raw email HTML through a strict, trusted sanitization library (like DOMPurify) before inserting it into srcdoc. This provides a final cleanup layer, removing known dangerous elements before the content is even loaded into the sandboxed frame. - Some setups may provide a user option to block external images entirely by default and only load them on demand, giving users control over external connections ![Image](https://github.com/user-attachments/assets/5781efef-919d-411b-b77a-c4397e82c9cc) Thanks again for all the great work!

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/OpenArchiver#116