From fe3a8a22cbf76f95232ea3d2fa399f2cfa7d2f7f Mon Sep 17 00:00:00 2001
From: AlexArchiPro <alex.zeng@archipro.co.nz>
Date: Fri, 12 Jun 2026 17:14:59 +1200
Subject: [PATCH] BB-3813 Remove base tag from default email template

The <% base_tag %> in Email.ss resolves via Director::absoluteBaseURL(),
which is derived from the unvalidated Host header when no alternate base
URL is configured. A poisoned Host header on a forgot-password request
produced emails whose base tag pointed at the attacker's domain, allowing
password reset link hijacking.

Emails do not need a base tag: MailerSubscriber (registered by default in
_config/mailer.yml) already rewrites all relative URLs in HTML and plain
text bodies to absolute URLs via HTTP::absoluteURLs() before sending.
---
 templates/SilverStripe/Control/Email/Email.ss | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/SilverStripe/Control/Email/Email.ss b/templates/SilverStripe/Control/Email/Email.ss
index d69591afeef..8f455e247ab 100644
--- a/templates/SilverStripe/Control/Email/Email.ss
+++ b/templates/SilverStripe/Control/Email/Email.ss
@@ -1,7 +1,6 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html>
 <head>
-	<% base_tag %>
 </head>
 <body>