Sending special XMPP messages with Jabber 12.5.2 fails

lindig · ‎09-10-2020

Hi,

we recently updated from 12.5.1 to 12.5.2 due to this vulnerability . We are using SleekXMPP for sending special HTML messages from a chatbot API endpoint into Jabber.

After we installed the update we are not able to send HTML IMG-Tags.

Python code looks like this if it helps:

msg_reply = self.Message()
msg_reply['to'] = msg['from']
msg_reply['from'] = msg['to']
msg_reply['type'] = 'chat'
msg_reply['html']['body'] = '<img src="PathToImage"/>'

But this still works:

msg_reply = self.Message()
msg_reply['to'] = msg['from']
msg_reply['from'] = msg['to']
msg_reply['type'] = 'chat'
msg_reply['html']['body'] = '<a target="_blank" href='PathToLink'>Title</a>

I can´t understand why the image-tags are blocked after the update and ahref-tags are still working. Yes, I send special crafted XMPP messages, but there has to be some configuration where I can whitelist special tags right?

Any suggestion for that?

Thanks in advance!

JohnD159753 · ‎09-29-2020

Did you ever figure anything about this? I'm trying to do something similar and I cant figure out how I could send an image.
I'm starting to wonder if I need to submit the image to the MFT server similar to how the jabber client sends an image/screenshot.

I wouldn't even know where to begin with that...

lindig · ‎09-30-2020

No, I can´t send images anymore after we installed the update...