Mjml: HTML Injection

Created on 9 May 2017  路  2Comments  路  Source: mjmlio/mjml

I don't know if this is exactly a feature or bug, but to me looks like a bug.

When any HTML entity is inserted in a template to render, like &lt; -> < it get's rendered as part of the HTML and is not displayed as part of the text. The problem if that if you are sending an email where the user name is entered by the and the user put something like <b>username</b> this leads to HTML injection it does not matter if the the items gets escaped before.

Example:

<mjml>
  <mj-body>
    <mj-container>
      <mj-section>
        <mj-column>

          <mj-image width="100" src="/assets/img/logo-small.png"></mj-image>

          <mj-divider border-color="#F45E43"></mj-divider>

          <mj-text font-size="20px" color="#F45E43" font-family="helvetica">Hello            &lt;b&gt;bold&lt;/b&gt;  World</mj-text>

        </mj-column>
      </mj-section>
    </mj-container>
  </mj-body>
</mjml>

captura de pantalla_2017-05-09_16-45-34

MJML 4 Parser
Source
picture edelvalle

Most helpful comment

Hey all,

I just ran into this issue and was able to find a nice work-around. If we know that our mjml is effectively being parsed twice, then we just need to get two steps behind the actual characters we want.

For < this can be accomplished by using &#38;lt; the first pass will convert &#38; into an actual & and then the second pass will convert &lt; into our < symbol.

The same methodology can be followed for the rest of the symbols you are having an issue with parsing.

image

picture icebawkz on 17 Jun 2017
👍3

All 2 comments

Hi @edelvalle, there is indeed an issue with the way special characters are parsed and replaced, sorry for that. It's a known issue, so I'm closing this one.

It's something we're working to fix in MJML 4.

ngarnier picture ngarnier on 16 May 2017

Hey all,

I just ran into this issue and was able to find a nice work-around. If we know that our mjml is effectively being parsed twice, then we just need to get two steps behind the actual characters we want.

For < this can be accomplished by using &#38;lt; the first pass will convert &#38; into an actual & and then the second pass will convert &lt; into our < symbol.

The same methodology can be followed for the rest of the symbols you are having an issue with parsing.

image

icebawkz picture icebawkz on 17 Jun 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

10kc-zack picture 10kc-zack  路  4Comments
liminspace picture liminspace  路  3Comments
csmcanarney picture csmcanarney  路  3Comments
plaisted picture plaisted  路  4Comments
lucasnantonio picture lucasnantonio  路  4Comments