From 9e8606cab4796411d7487ed6428ab0238bf708d6 Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Fri, 20 Mar 2026 11:55:23 +0000
Subject: [PATCH] XSS for eml and others (#5967)

---
 .../common/service/SsrfProtectionService.java     | 15 ++++++++++++++-
 .../stirling/software/common/util/EmlToPdf.java   | 10 ++++++++--
 .../api/converters/ConvertEmlToPDF.java           |  3 ++-
 .../security/service/DatabaseService.java         |  6 +++---
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/app/common/src/main/java/stirling/software/common/service/SsrfProtectionService.java b/app/common/src/main/java/stirling/software/common/service/SsrfProtectionService.java
index ce19ff8260..0d372f04e7 100644
--- a/app/common/src/main/java/stirling/software/common/service/SsrfProtectionService.java
+++ b/app/common/src/main/java/stirling/software/common/service/SsrfProtectionService.java
@@ -226,10 +226,11 @@ public class SsrfProtectionService {
     }
 
     private boolean isPrivateIPv4Range(String ip) {
-        // Includes RFC1918, loopback, link-local, and unspecified addresses
+        // Includes RFC1918, RFC6598, loopback, link-local, and unspecified addresses
         return ip.startsWith("10.")
                 || ip.startsWith("192.168.")
                 || (ip.startsWith("172.") && isInRange172(ip))
+                || (ip.startsWith("100.") && isInRange100(ip))
                 || ip.startsWith("169.254.")
                 || ip.startsWith("127.")
                 || "0.0.0.0".equals(ip);
@@ -247,6 +248,18 @@ public class SsrfProtectionService {
         return false;
     }
 
+    private boolean isInRange100(String ip) {
+        String[] parts = ip.split("\\.");
+        if (parts.length >= 2) {
+            try {
+                int secondOctet = Integer.parseInt(parts[1]);
+                return secondOctet >= 64 && secondOctet <= 127;
+            } catch (NumberFormatException e) {
+            }
+        }
+        return false;
+    }
+
     private boolean isCloudMetadataAddress(String ip) {
         String normalizedIp = normalizeIpv4MappedAddress(ip);
         // Cloud metadata endpoints for AWS, GCP, Azure, Oracle Cloud, and IBM Cloud
diff --git a/app/common/src/main/java/stirling/software/common/util/EmlToPdf.java b/app/common/src/main/java/stirling/software/common/util/EmlToPdf.java
index 85005af401..34a4282220 100644
--- a/app/common/src/main/java/stirling/software/common/util/EmlToPdf.java
+++ b/app/common/src/main/java/stirling/software/common/util/EmlToPdf.java
@@ -13,11 +13,17 @@ public class EmlToPdf {
 
     public static String convertEmlToHtml(byte[] emlBytes, EmlToPdfRequest request)
             throws IOException {
+        return convertEmlToHtml(emlBytes, request, null);
+    }
+
+    public static String convertEmlToHtml(
+            byte[] emlBytes, EmlToPdfRequest request, CustomHtmlSanitizer customHtmlSanitizer)
+            throws IOException {
         EmlProcessingUtils.validateEmlInput(emlBytes);
 
         EmlParser.EmailContent emailContent =
-                EmlParser.extractEmailContent(emlBytes, request, null);
-        return EmlProcessingUtils.generateEnhancedEmailHtml(emailContent, request, null);
+                EmlParser.extractEmailContent(emlBytes, request, customHtmlSanitizer);
+        return EmlProcessingUtils.generateEnhancedEmailHtml(emailContent, request, customHtmlSanitizer);
     }
 
     public static byte[] convertEmlToPdf(
diff --git a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertEmlToPDF.java b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertEmlToPDF.java
index a165950437..5cf98556f3 100644
--- a/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertEmlToPDF.java
+++ b/app/core/src/main/java/stirling/software/SPDF/controller/api/converters/ConvertEmlToPDF.java
@@ -81,7 +81,8 @@ public class ConvertEmlToPDF {
 
             if (request.isDownloadHtml()) {
                 try {
-                    String htmlContent = EmlToPdf.convertEmlToHtml(fileBytes, request);
+                    String htmlContent =
+                            EmlToPdf.convertEmlToHtml(fileBytes, request, customHtmlSanitizer);
                     log.info("Successfully converted email to HTML: {}", originalFilename);
                     return WebResponseUtils.bytesToWebResponse(
                             htmlContent.getBytes(StandardCharsets.UTF_8),
diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/service/DatabaseService.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/service/DatabaseService.java
index 8595d02865..75c23e9a56 100644
--- a/app/proprietary/src/main/java/stirling/software/proprietary/security/service/DatabaseService.java
+++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/service/DatabaseService.java
@@ -488,14 +488,14 @@ public class DatabaseService implements DatabaseServiceInterface {
     private void executeDatabaseScript(Path scriptPath) {
         if (isH2Database()) {
 
+            // Validate SQL content BEFORE execution to prevent injection attacks
+            validateSqlContent(scriptPath);
+
             if (!verifyBackup(scriptPath)) {
                 log.error("Backup verification failed for: {}", scriptPath);
                 throw new IllegalArgumentException("Backup verification failed for: " + scriptPath);
             }
 
-            // Validate SQL content before execution to prevent injection attacks
-            validateSqlContent(scriptPath);
-
             String query = "RUNSCRIPT from ?;";
 
             try (Connection conn = dataSource.getConnection();