ulysses/static
SurprisedDuck 7a830e504d
Escape email fold summary metadata
The email reader folds quoted history into <details> summaries via
`_foldSummary()` (static/js/emailLibrary/signatureFold.js), which builds a
sender/date "meta" chip into the summary HTML and assigns it to innerHTML.
The server-side thread parser (`_extract_quote_meta`,
src/email_thread_parser.py) strips tags but then un-escapes HTML entities
and preserves `<...>` patterns, and that raw meta reaches `_foldSummary`
unescaped via `_renderTurnsFromServer` (`t.meta`) — so an inbound email
whose quoted attribution contains `From: &lt;img src=x onerror=...&gt;`
runs script when the victim merely opens the message (stored XSS).

Make `_foldSummary` the single escaping chokepoint: escape `primary` and
`subMeta` with the module's existing `_esc`. The client-side
`_extractQuoteMeta` previously pre-escaped its output, and every consumer
of it routes through `_foldSummary`, so drop that now-redundant escaping to
avoid double-encoding (e.g. "Ben & Jerry" -> "Ben &amp;amp; Jerry").

Verified (jsdom): server-raw and client-extracted malicious metas yield 0
live elements and 0 event-handler attributes; benign "Ben & Jerry" renders
single-escaped.

Co-authored-by: Claude <noreply@anthropic.com>
2026-06-02 05:50:53 +09:00
..
fonts Odysseus v1.0 2026-05-31 23:58:26 +09:00
js Escape email fold summary metadata 2026-06-02 05:50:53 +09:00
lib Odysseus v1.0 2026-05-31 23:58:26 +09:00
app.js Let calendar handle Escape while open 2026-06-01 23:08:57 +09:00
index.html feat: allow memory import without session (#493) 2026-06-01 22:32:17 +09:00
landing.html Fix landing footer snap and uvicorn docs 2026-06-01 10:51:55 +09:00
login.html Odysseus v1.0 2026-05-31 23:58:26 +09:00
manifest.json Odysseus v1.0 2026-05-31 23:58:26 +09:00
style.css Fix sidebar text clipping on Windows 2026-06-01 23:11:19 +09:00
sw.js Odysseus v1.0 2026-05-31 23:58:26 +09:00