From d742954ccbcdee7020f8f2e7c49ce0fca5a0efab Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 18 Mar 2026 10:23:34 +0100
Subject: [PATCH] Fix XSS issue in a HTML attachment preview

Reported by aikido_security
---
 CHANGELOG.md                      | 1 +
 program/include/rcmail_action.php | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee3b90e97..9b64b1c4c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
 - Security: Fix fixed position mitigation bypass via use of !important
+- Security: Fix XSS issue in a HTML attachment preview
 
 ## Release 1.5.13
 
diff --git a/program/include/rcmail_action.php b/program/include/rcmail_action.php
index 110515513..da966a9be 100644
--- a/program/include/rcmail_action.php
+++ b/program/include/rcmail_action.php
@@ -683,6 +683,9 @@ abstract class rcmail_action
             header('Content-Type: ' . $file['mimetype']);
             header('Content-Length: ' . $file['size']);
 
+            // Use strict security policy to make sure no javascript is executed
+            header("Content-Security-Policy: script-src 'none'");
+
             if (isset($file['data']) && is_string($file['data'])) {
                 echo $file['data'];
             }