Fix XSS issue in a HTML attachment preview

alecpl · alecpl · commit d742954ccbcd · 2026-03-18T12:48:49.000+01:00
Reported by aikido_security
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
 - Security: Fix fixed position mitigation bypass via use of !important
+- Security: Fix XSS issue in a HTML attachment preview
 
 ## Release 1.5.13
 
diff --git a/program/include/rcmail_action.php b/program/include/rcmail_action.php
@@ -683,6 +683,9 @@ public static function display_uploaded_file($file)
             header('Content-Type: ' . $file['mimetype']);
             header('Content-Length: ' . $file['size']);
 
+            // Use strict security policy to make sure no javascript is executed
+            header("Content-Security-Policy: script-src 'none'");
+
             if (isset($file['data']) && is_string($file['data'])) {
                 echo $file['data'];
             }

Original file line number	Diff line number	Diff line change
`@@ -683,6 +683,9 @@ public static function display_uploaded_file($file)`
`683`	`683`	`header('Content-Type: ' . $file['mimetype']);`
`684`	`684`	`header('Content-Length: ' . $file['size']);`
`685`	`685`
	`686`	`+ // Use strict security policy to make sure no javascript is executed`
	`687`	`+ header("Content-Security-Policy: script-src 'none'");`
	`688`	`+`
`686`	`689`	`if (isset($file['data']) && is_string($file['data'])) {`
`687`	`690`	`echo $file['data'];`
`688`	`691`	`}`