✨ New Features
- New Project Website - The Mail Archiver now has a new dedicated project website at mail-archiver.org
- Support for personal Microsoft Accounts Added - Adds OAuth2 IMAP support for personal Microsoft accounts (Outlook.com / M365 Family / Hotmail). Thanks to @XtraLarge !
- Per-Account Storage Display - Shows database storage usage per account in the Dashboard "Account Overview" table and the MailAccounts "Show All" table.
⚙️ Improvements
- Mail Account Create / Edit / Details UX - Restructured all three pages into visual sections with headers and icons
- Folder Exclusion Toggle - Folder badges on the Edit page are now toggleable (click to add, click again to remove) and use semicolon separators matching the server-side parser.
- User Create / Edit UX - Restructured both pages into visual sections with headers and icons
- Dashboard Visual Polish - Modern gradient stat cards with count-up animation on load
- UI Table Harmonization - Unified table styling across Emails, MailAccounts, Users, Jobs, and Logs index pages
🐛 Bug Fixes
- Localized Strings Encoding in JavaScript - Localized strings (e.g. French "Tâche d'arrière-plan") were HTML-encoded by Razor when emitted inside
<script>blocks, causing entities like'to appear verbatim in the UI. - Stored XSS via Email HTML Body - Replaced the bypassable regex-based HTML sanitizer in the email viewer with an allowlist-based sanitizer (Ganss.HtmlSanitizer).
- IDOR on Email Deletion -
Emails/DeleteandEmails/DeleteSelectedpreviously only required the SelfManager role, allowing a SelfManager to delete emails belonging to accounts they are not authorized for by guessing/enumerating email IDs. - 2FA Session Fixation - The ASP.NET Core session was not regenerated after successful password verification, enabling a session-fixation attack (CWE-384) where an attacker who planted a session cookie pre-login could inherit the post-2FA authenticated state.