mjml-python icon indicating copy to clipboard operation
mjml-python copied to clipboard
verified publisher icon FelixSchwarz

Document security assumptions about mj-include

Open FelixSchwarz opened this issue 4 weeks ago • 0 comments

My assumption was always to trust the mjml content:

  • The file might contain might contain untrusted user data, e.g. a name inside a <mj-text> block.
  • However the mjml structure and tags within the content should not be attacker-controlled.

Therefore <mj-include> tags are not a security concern to me - they include whatever the developer wanted to include.

The JS reference implementation seems to take a different approach:

  • CVE-2020-12827: MJML vulnerable to path traversal
  • CVE-2025-67898: MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827

This ticket is a first attempt to convey the security assumptions I made when creating the project. However I'm also open to adding some code which might filter or even block mj-include tags if there is a need (+ willingness to contribute some dev time).

FelixSchwarz avatar Dec 28 '25 08:12 FelixSchwarz