## Bug When we load a HTML mail from mailbox via api, etc `http://nextcloud/index.php/apps/mail/accounts//folders/SU5CT1g=/messages//html` Our content will be passed to HTML Purifier to strip malicious XSS patterns. After that, an filter will apply to transform acceptable URI schemes `http, https, ftp, cid` to redirect/proxy service. There's a bug in here, only `http, https, cid` scheme are filtered. So we can add `src` attribute or `href` from url with scheme `ftp` or `NULL` (like `'../../abc/xyz'`) . We can easily bypass image filter (also Content-Security-Policy) Notice that there's a filter that append `target=_blank` to all `` tag. This can lead to opener bug [https://mathiasbynens.github.io/rel-noopener/#hax] (https://mathiasbynens.github.io/rel-noopener/#hax) that I learned from [124620] (https://hackerone.com/reports/124620). And finally it can leak accountID of user ## PoC * Attacker create a shared link of a image `http://192.168.200.117/nextcloud/index.php/s/HUw7Cwa40Phlt8v/download` * Attacker start a ftp server and create a html page. `ftp://chim:chim@localhost/test.html` * Attacker send a HTML email ```

test schema

Filtered img
Bypass img

``` ## Video Demo https://www.youtube.com/watch?v=BdOD49gokdI

Nextcloud: URI scheme bypass in mail app lead to HTML content spoof and opener control