mirror of
https://github.com/discourse/discourse.git
synced 2025-02-28 13:29:40 +08:00
SECURITY: Strip HTML from invite emails
We also strip new lines from the emails because it ruins the markdown formatting which expects a one line message.
This commit is contained in:
parent
a7a7afdb27
commit
4fd470e63d
@ -20,6 +20,9 @@ class InviteMailer < ActionMailer::Base
|
|||||||
inviter_name = "#{invite.invited_by.name} (#{invite.invited_by.username})"
|
inviter_name = "#{invite.invited_by.name} (#{invite.invited_by.username})"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
sanitized_message = invite.custom_message.present? ?
|
||||||
|
ActionView::Base.full_sanitizer.sanitize(invite.custom_message.gsub(/\n+/, " ").strip) : nil
|
||||||
|
|
||||||
# If they were invited to a topic
|
# If they were invited to a topic
|
||||||
if first_topic.present?
|
if first_topic.present?
|
||||||
# get topic excerpt
|
# get topic excerpt
|
||||||
@ -28,11 +31,6 @@ class InviteMailer < ActionMailer::Base
|
|||||||
topic_excerpt = first_topic.excerpt.tr("\n", " ")
|
topic_excerpt = first_topic.excerpt.tr("\n", " ")
|
||||||
end
|
end
|
||||||
|
|
||||||
template = 'invite_mailer'
|
|
||||||
if invite.custom_message.present?
|
|
||||||
template = 'custom_invite_mailer'
|
|
||||||
end
|
|
||||||
|
|
||||||
topic_title = first_topic.try(:title)
|
topic_title = first_topic.try(:title)
|
||||||
if SiteSetting.private_email?
|
if SiteSetting.private_email?
|
||||||
topic_title = I18n.t("system_messages.private_topic_title", id: first_topic.id)
|
topic_title = I18n.t("system_messages.private_topic_title", id: first_topic.id)
|
||||||
@ -40,7 +38,7 @@ class InviteMailer < ActionMailer::Base
|
|||||||
end
|
end
|
||||||
|
|
||||||
build_email(invite.email,
|
build_email(invite.email,
|
||||||
template: template,
|
template: sanitized_message ? 'custom_invite_mailer' : 'invite_mailer',
|
||||||
inviter_name: inviter_name,
|
inviter_name: inviter_name,
|
||||||
site_domain_name: Discourse.current_hostname,
|
site_domain_name: Discourse.current_hostname,
|
||||||
invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
|
invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
|
||||||
@ -48,21 +46,16 @@ class InviteMailer < ActionMailer::Base
|
|||||||
topic_excerpt: topic_excerpt,
|
topic_excerpt: topic_excerpt,
|
||||||
site_description: SiteSetting.site_description,
|
site_description: SiteSetting.site_description,
|
||||||
site_title: SiteSetting.title,
|
site_title: SiteSetting.title,
|
||||||
user_custom_message: invite.custom_message)
|
user_custom_message: sanitized_message)
|
||||||
else
|
else
|
||||||
template = 'invite_forum_mailer'
|
|
||||||
if invite.custom_message.present?
|
|
||||||
template = 'custom_invite_forum_mailer'
|
|
||||||
end
|
|
||||||
|
|
||||||
build_email(invite.email,
|
build_email(invite.email,
|
||||||
template: template,
|
template: sanitized_message ? 'custom_invite_forum_mailer' : 'invite_forum_mailer',
|
||||||
inviter_name: inviter_name,
|
inviter_name: inviter_name,
|
||||||
site_domain_name: Discourse.current_hostname,
|
site_domain_name: Discourse.current_hostname,
|
||||||
invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
|
invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
|
||||||
site_description: SiteSetting.site_description,
|
site_description: SiteSetting.site_description,
|
||||||
site_title: SiteSetting.title,
|
site_title: SiteSetting.title,
|
||||||
user_custom_message: invite.custom_message)
|
user_custom_message: sanitized_message)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -38,7 +38,12 @@ describe InviteMailer do
|
|||||||
end
|
end
|
||||||
|
|
||||||
context "custom invite message" do
|
context "custom invite message" do
|
||||||
fab!(:invite) { Fabricate(:invite, custom_message: "Hey, you should join this forum!") }
|
fab!(:invite) {
|
||||||
|
Fabricate(
|
||||||
|
:invite,
|
||||||
|
custom_message: "Hey, you <b>should</b> join this forum!\n\nWelcome!"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
context "custom message includes invite link" do
|
context "custom message includes invite link" do
|
||||||
let(:custom_invite_mail) { InviteMailer.send_invite(invite) }
|
let(:custom_invite_mail) { InviteMailer.send_invite(invite) }
|
||||||
@ -59,8 +64,8 @@ describe InviteMailer do
|
|||||||
expect(custom_invite_mail.body).to be_present
|
expect(custom_invite_mail.body).to be_present
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'renders custom_message' do
|
it 'renders custom_message, stripping HTML' do
|
||||||
expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum!")
|
expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum! Welcome!")
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'renders the inviter email' do
|
it 'renders the inviter email' do
|
||||||
|
Loading…
x
Reference in New Issue
Block a user