From 66214eee85978f26039e60edac311772e6820057 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Fri, 5 Jul 2019 14:51:03 -0400 Subject: [PATCH] SECURITY: Strip HTML from invite emails We also strip new lines from the emails because it ruins the markdown formatting which expects a one line message. --- app/mailers/invite_mailer.rb | 21 +++++++-------------- spec/mailers/invite_mailer_spec.rb | 11 ++++++++--- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/app/mailers/invite_mailer.rb b/app/mailers/invite_mailer.rb index 79157dc23e5..4c12e697a9f 100644 --- a/app/mailers/invite_mailer.rb +++ b/app/mailers/invite_mailer.rb @@ -20,6 +20,9 @@ class InviteMailer < ActionMailer::Base inviter_name = "#{invite.invited_by.name} (#{invite.invited_by.username})" end + sanitized_message = invite.custom_message.present? ? + ActionView::Base.full_sanitizer.sanitize(invite.custom_message.gsub(/\n+/, " ").strip) : nil + # If they were invited to a topic if first_topic.present? # get topic excerpt @@ -28,11 +31,6 @@ class InviteMailer < ActionMailer::Base topic_excerpt = first_topic.excerpt.tr("\n", " ") end - template = 'invite_mailer' - if invite.custom_message.present? - template = 'custom_invite_mailer' - end - topic_title = first_topic.try(:title) if SiteSetting.private_email? topic_title = I18n.t("system_messages.private_topic_title", id: first_topic.id) @@ -40,7 +38,7 @@ class InviteMailer < ActionMailer::Base end build_email(invite.email, - template: template, + template: sanitized_message ? 'custom_invite_mailer' : 'invite_mailer', inviter_name: inviter_name, site_domain_name: Discourse.current_hostname, invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}", @@ -48,21 +46,16 @@ class InviteMailer < ActionMailer::Base topic_excerpt: topic_excerpt, site_description: SiteSetting.site_description, site_title: SiteSetting.title, - user_custom_message: invite.custom_message) + user_custom_message: sanitized_message) else - template = 'invite_forum_mailer' - if invite.custom_message.present? - template = 'custom_invite_forum_mailer' - end - build_email(invite.email, - template: template, + template: sanitized_message ? 'custom_invite_forum_mailer' : 'invite_forum_mailer', inviter_name: inviter_name, site_domain_name: Discourse.current_hostname, invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}", site_description: SiteSetting.site_description, site_title: SiteSetting.title, - user_custom_message: invite.custom_message) + user_custom_message: sanitized_message) end end diff --git a/spec/mailers/invite_mailer_spec.rb b/spec/mailers/invite_mailer_spec.rb index 153799424a5..b9dcbcfebe3 100644 --- a/spec/mailers/invite_mailer_spec.rb +++ b/spec/mailers/invite_mailer_spec.rb @@ -38,7 +38,12 @@ describe InviteMailer do end context "custom invite message" do - fab!(:invite) { Fabricate(:invite, custom_message: "Hey, you should join this forum!") } + fab!(:invite) { + Fabricate( + :invite, + custom_message: "Hey, you should join this forum!\n\nWelcome!" + ) + } context "custom message includes invite link" do let(:custom_invite_mail) { InviteMailer.send_invite(invite) } @@ -59,8 +64,8 @@ describe InviteMailer do expect(custom_invite_mail.body).to be_present end - it 'renders custom_message' do - expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum!") + it 'renders custom_message, stripping HTML' do + expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum! Welcome!") end it 'renders the inviter email' do