glebm / rails_email_preview

Preview and edit app mailer templates in Rails.

http://glebm.github.io/rails_email_preview

Use render html: instead of inline:

cantino opened this issue 4 years ago · comments

Andrew Cantino commented 4 years ago

By using render inline: here you may be introducing a RCE since it will evaluate ERB.

rails_email_preview/app/controllers/rails_email_preview/emails_controller.rb

Line 70 in 723c126

render inline: body, layout: 'rails_email_preview/email'

Is that intended?

Gleb Mazovetskiy commented 4 years ago

Good catch!

Gleb Mazovetskiy commented 4 years ago

Fixed, released in https://github.com/glebm/rails_email_preview/releases/tag/v2.2.2

Andrew Cantino commented 4 years ago

👍