HTML in recipient list allowed - even javascript

[ja-stiebing]

Related to Bug # 1330134 :
https://sourceforge.net/tracker/?
func=detail&atid=742847&aid=1330134&group_id=13928
1

After Bug # 1330134 has been solved now, a similar (the 
same) problem can show up if the incoming mail 
contains the following line (the text after the line will 
disappear):
</td></tr></table><div style="display:none;">

The (a bit) curious thing to this problem is that it appears 
also if the Mail ist text-only and the preferences are set 
to not prefer HTML.
(I think) it hadn't been a problem as Bug # 1330134 had 
been submitted.

[ja-stiebing]

Logged In: YES 
user_id=1191928

Sorry - the problem hasn't been in the mail body, the problem 
is located elsewhere as I noticed after checking again:
The recipient list is not handled as one wanted to see it. The 
recipient list in the mail with no (visible) text in it has been this 
line:
demo@roundcube.net, "</td></tr></table><div style='display:
none;'>" <any@body.be>

In general HTML seems to be allowed in the recipient name, 
be it images or some javascript like in this recipient list:
demo@roundcube.net, "<script type='text/
javascript'>alert(document.cookie);</script>" <body@any.be>

[seansan]

Still occuring (popup doesnt work though)

review in 0.1.1 how to handle - do we want HTML like code to be used in TO?

[seansan]

Dupe @ #1484647

[thomasb]

All strings are correctly quoted in 0.1-stable