javier/Wino-Mail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden junk mail image tracking protection

Browse Source
This commit is contained in:
Burak Kaan Köse
2026-04-21 22:21:59 +02:00
parent e0f517e993
commit c0023614ad
5 changed files with 155 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Wino.Core.Tests/Models/HtmlPreviewVisitorTests.cs
+2
View File
@@ -15,6 +15,7 @@ public class HtmlPreviewVisitorTests
<html>
<body onload="alert('x')">
<h1 onclick="evil()">hello</h1>
<link rel="stylesheet" href="https://tracker.example/mail.css" />
<script>alert('xss')</script>
<iframe src="https://malicious.example"></iframe>
<object data="https://malicious.example/file.swf"></object>
@@ -34,6 +35,7 @@ public class HtmlPreviewVisitorTests
// Assert
output.Should().NotContain("<script", "script tags must be blocked in rendered html");
output.Should().NotContain("<link", "external stylesheet tags must be blocked in rendered html");
output.Should().NotContain("<iframe", "iframe tags must be blocked in rendered html");
output.Should().NotContain("<object", "object tags must be blocked in rendered html");
output.Should().NotContain("onload=", "event handler attributes must be stripped");