Document security assumptions about mj-include

My assumption was always to trust the mjml content:
 
- The file might contain might contain untrusted user data, e.g. a name inside a `<mj-text>` block.
- However the mjml structure and tags within the content should not be attacker-controlled.

Therefore `<mj-include>` tags are not a security concern to me - they include whatever the developer wanted to include.

The JS reference implementation seems to take a different approach:

- [CVE-2020-12827](https://github.com/advisories/GHSA-4hch-r9xf-6vfr): MJML vulnerable to path traversal
- [CVE-2025-67898](https://github.com/advisories/GHSA-45h5-66jx-r2wf): MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827

This ticket is a first attempt to convey the security assumptions I made when creating the project. However I'm also open to adding some code which might filter or even block `mj-include` tags if there is a need (+ willingness to contribute some dev time).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Document security assumptions about mj-include #64

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Document security assumptions about mj-include #64

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions