One obvious one that many people fail at initially is sanitizing any HTML-format... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		stevekemp on April 8, 2014 \| parent \| context \| favorite \| on: Roundcube Webmail 1.0.0 released One obvious one that many people fail at initially is sanitizing any HTML-formatted mail. You don't want viewing the mail to result in an XSS attack against the mail-viewing application, stealing your login cookie for example.

mike-cardwell on April 8, 2014 [–]

Both GMail and FastMail have had this vulnerability in the past. GMail had it when script was hidden inside SVGs. FastMail had it when script was embedded in attachment filenames. I'm sure lots of other webmail systems had/have these issues too.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact