HTML injection in email template

HackerOne report #448679 by ruvlol on 2018-11-22:

Hello Gitlab team! I found that email notification about new comments contain not escaped content of comment which includes hyperlinks and images. This leads to HTML injection in email template and allows attacker to rewrite original template into a phishing one which will be sent from original sender (gitlab@domain.com).

How to reproduce:

1. Subscribe to new comments of issue
2. Leave

[View it on gitlab!](https://example.com) ![](http://ruvlolmail.temp.swtest.ru/kitty.jpg)

as comment 3. see received email - hyperlink and image appear.

How to fix:

Like Hackerone does - send unrendered content in email templates

Impact

With some creativity it is possible to craft a phishing email letter which will come from original permitted sender.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• ______________2018-11-22___8.47.04.png