https://bugs.kde.org/show_bug.cgi?id=480193
Bug ID: 480193 Summary: KMail QML HTML injection via --subject and --attach Classification: Applications Product: kmail2 Version: unspecified Platform: Other OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: composer Assignee: kdepim-bugs@kde.org Reporter: benjaminfle...@icloud.com Target Milestone: --- SUMMARY *** HTML injection into KMail UI afaik not security issue because external image urls are not followed *** STEPS TO REPRODUCE 1. kmail --composer --body '' --attach '<h1>HTML Injection bf</h1><img source="https://www.spyber.com/sig-25163.png" width="100" height="100" />' 2. kmail --composer --attach 'asdasd <h1>HTML Injection @bf</h1><img src="0" /> ' --subject '<h1>injectko</h1>asdasd' OBSERVED RESULT custom HTML in kmail UI and alert dialogs EXPECTED RESULT no custom HTML in kmail UI SOFTWARE/OS VERSIONS kmail2 5.24.4 (23.08.4) -- You are receiving this mail because: You are the assignee for the bug.