XSS for eml and others (#5967)

app/common/src/main/java/stirling/software/common/service/SsrfProtectionService.java

@@ -226,10 +226,11 @@ public class SsrfProtectionService {
     }
 
     private boolean isPrivateIPv4Range(String ip) {
-        // Includes RFC1918, loopback, link-local, and unspecified addresses
+        // Includes RFC1918, RFC6598, loopback, link-local, and unspecified addresses
         return ip.startsWith("10.")
                 || ip.startsWith("192.168.")
                 || (ip.startsWith("172.") && isInRange172(ip))
+                || (ip.startsWith("100.") && isInRange100(ip))
                 || ip.startsWith("169.254.")
                 || ip.startsWith("127.")
                 || "0.0.0.0".equals(ip);
@@ -247,6 +248,18 @@ public class SsrfProtectionService {
         return false;
     }
 
+    private boolean isInRange100(String ip) {
+        String[] parts = ip.split("\\.");
+        if (parts.length >= 2) {
+            try {
+                int secondOctet = Integer.parseInt(parts[1]);
+                return secondOctet >= 64 && secondOctet <= 127;
+            } catch (NumberFormatException e) {
+            }
+        }
+        return false;
+    }
+
     private boolean isCloudMetadataAddress(String ip) {
         String normalizedIp = normalizeIpv4MappedAddress(ip);
         // Cloud metadata endpoints for AWS, GCP, Azure, Oracle Cloud, and IBM Cloud

app/common/src/main/java/stirling/software/common/util/EmlToPdf.java

@@ -13,11 +13,17 @@ public class EmlToPdf {
 
     public static String convertEmlToHtml(byte[] emlBytes, EmlToPdfRequest request)
             throws IOException {
+        return convertEmlToHtml(emlBytes, request, null);
+    }
+
+    public static String convertEmlToHtml(
+            byte[] emlBytes, EmlToPdfRequest request, CustomHtmlSanitizer customHtmlSanitizer)
+            throws IOException {
         EmlProcessingUtils.validateEmlInput(emlBytes);
 
         EmlParser.EmailContent emailContent =
-                EmlParser.extractEmailContent(emlBytes, request, null);
-        return EmlProcessingUtils.generateEnhancedEmailHtml(emailContent, request, null);
+                EmlParser.extractEmailContent(emlBytes, request, customHtmlSanitizer);
+        return EmlProcessingUtils.generateEnhancedEmailHtml(emailContent, request, customHtmlSanitizer);
     }
 
     public static byte[] convertEmlToPdf(

app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertEmlToPDF.java

@@ -81,7 +81,8 @@ public class ConvertEmlToPDF {
 
             if (request.isDownloadHtml()) {
                 try {
-                    String htmlContent = EmlToPdf.convertEmlToHtml(fileBytes, request);
+                    String htmlContent =
+                            EmlToPdf.convertEmlToHtml(fileBytes, request, customHtmlSanitizer);
                     log.info("Successfully converted email to HTML: {}", originalFilename);
                     return WebResponseUtils.bytesToWebResponse(
                             htmlContent.getBytes(StandardCharsets.UTF_8),

app/proprietary/src/main/java/stirling/software/proprietary/security/service/DatabaseService.java

@@ -488,14 +488,14 @@ public class DatabaseService implements DatabaseServiceInterface {
     private void executeDatabaseScript(Path scriptPath) {
         if (isH2Database()) {
 
+            // Validate SQL content BEFORE execution to prevent injection attacks
+            validateSqlContent(scriptPath);
+
             if (!verifyBackup(scriptPath)) {
                 log.error("Backup verification failed for: {}", scriptPath);
                 throw new IllegalArgumentException("Backup verification failed for: " + scriptPath);
             }
 
-            // Validate SQL content before execution to prevent injection attacks
-            validateSqlContent(scriptPath);
-
             String query = "RUNSCRIPT from ?;";
 
             try (Connection conn = dataSource.getConnection();