Summary
In backend/app/services/email_service.py, the _build_html function dynamically injects stats['top_bug'] and stats['languages'] into the HTML template using standard Python f-strings. These stats are generated from user-submitted analysis code. Since no HTML escaping is applied, an attacker could submit code with malicious string patterns that get stored as bug names or language types, leading to an HTML Injection inside the victim's email client.
Impact
Allows an attacker to alter the visual layout of emails, inject tracking pixels, or execute phishing via email clients that lack robust sandboxing.
Proposed Fix
Apply html.escape() on all dynamically injected user-originating fields (e.g., top_bug, languages) within the HTML template logic.
Summary
In
backend/app/services/email_service.py, the_build_htmlfunction dynamically injectsstats['top_bug']andstats['languages']into the HTML template using standard Python f-strings. These stats are generated from user-submitted analysis code. Since no HTML escaping is applied, an attacker could submit code with malicious string patterns that get stored as bug names or language types, leading to an HTML Injection inside the victim's email client.Impact
Allows an attacker to alter the visual layout of emails, inject tracking pixels, or execute phishing via email clients that lack robust sandboxing.
Proposed Fix
Apply
html.escape()on all dynamically injected user-originating fields (e.g.,top_bug,languages) within the HTML template logic.