Enhance email functionality by adding HTML escaping

- Added `html-escape` crate to `Cargo.toml` for HTML escaping. - Updated email template processing to escape HTML in message and button text, preventing potential XSS vulnerabilities. - Modified test cases to include HTML content in email parameters, ensuring proper handling and escaping. This change improves security by sanitizing user input in email communications.
2025-01-24 08:57:48 -07:00 · 2025-01-24 08:57:48 -07:00 · 87466e8d61
parent d29e9345ea
commit 87466e8d61
2 changed files with 10 additions and 7 deletions
--- a/api/Cargo.toml
+++ b/api/Cargo.toml
@ -90,6 +90,7 @@ futures-util = "0.3"
 rayon = "1.10.0"
 diesel_migrations = "2.0.0"
 serde_yaml = "0.9.34"
+html-escape = "0.2.13"

 [profile.release]
 debug = false
--- a/api/src/utils/clients/email/resend.rs
+++ b/api/src/utils/clients/email/resend.rs
@ -1,6 +1,7 @@
 use anyhow::Result;
 use std::{collections::HashSet, env};
 use uuid::Uuid;
+use html_escape::encode_text as escape_html;

 use resend_rs::{types::CreateEmailBaseOptions, Resend};

@ -69,9 +70,9 @@ pub async fn send_email(to_addresses: HashSet<String>, email_type: EmailType) ->
    };

    let email_html = EMAIL_TEMPLATE
-        .replace("{{message}}", &email_params.message)
+        .replace("{{message}}", &escape_html(&email_params.message))
        .replace("{{button_link}}", &email_params.button_link)
-        .replace("{{button_text}}", email_params.button_text);
+        .replace("{{button_text}}", &escape_html(email_params.button_text));

    let from = "Buster <buster@mail.buster.so>";

@ -253,18 +254,20 @@ mod tests {
        dotenv().ok();
        let to_addresses = HashSet::from([
            "dallin@buster.so".to_string(),
-            "blake@buster.so".to_string(),
        ]);
        let email_type = EmailType::CollectionInvite(CollectionInvite {
-            collection_name: "Test Collection".to_string(),
+            collection_name: "Test Collection <script>alert('xss')</script>".to_string(),
            collection_id: Uuid::new_v4(),
-            inviter_name: "Dallin Bentley".to_string(),
+            inviter_name: "Dallin Bentley <b>test</b>".to_string(),
            new_user: false,
        });

        match send_email(to_addresses, email_type).await {
            Ok(_) => assert!(true),
-            Err(_) => assert!(false),
+            Err(e) => {
+                println!("Error sending email: {e}");
+                assert!(false)
+            }
        }
    }

@ -273,7 +276,6 @@ mod tests {
        dotenv().ok();
        let to_addresses = HashSet::from([
            "dallin@buster.so".to_string(),
-            "blake@buster.so".to_string(),
        ]);
        let email_type = EmailType::CollectionInvite(CollectionInvite {
            collection_name: "Test Collection".to_string(),