Skip to content

fix: escape user-controlled values in console log calls (issue #165)#175

Open
JuliaKalder wants to merge 1 commit into
mainfrom
fix/issue-165
Open

fix: escape user-controlled values in console log calls (issue #165)#175
JuliaKalder wants to merge 1 commit into
mainfrom
fix/issue-165

Conversation

@JuliaKalder
Copy link
Copy Markdown
Owner

@JuliaKalder JuliaKalder commented May 12, 2026

Summary

Fixes log injection (CWE-117 / OWASP Log Injection) in resolveNestedTemplates and attachment error handling in modules/template-insert.js.

User-controlled strings (template identifier, template name, attachment filename) were interpolated directly into console.warn/console.error template literals, allowing newlines and control characters to forge fake log entries in the Thunderbird developer console.

Changes

  • template-insert.js:179identifier now passed as JSON.stringify(identifier) separate arg
  • template-insert.js:184nestedTemplate.name now passed as JSON.stringify(nestedTemplate.name) separate arg
  • template-insert.js:358att.name now passed as JSON.stringify(att.name) separate arg

Testing

  • Verified three console call sites are updated
  • Existing test suite run (if present)
  • No functional behavior changed — only log output format

Fixes #165

fix: escape user-controlled values in console log calls
e1ef302 
Fixes log injection (CWE-117) by passing user-controlled strings as
separate JSON.stringify'd arguments instead of interpolating them into
template literals in console.warn/error calls.

Fixes #165
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[LOW] Log injection via unescaped template-body and attachment-name content in console.warn/error calls (template-insert.js:179,184,358)

1 participant

@JuliaKalder