SECURITY: Strip HTML from invite emails

We also strip new lines from the emails because it ruins the markdown formatting which expects a one line message.
2024-11-23 03:16:41 +08:00 · 2019-07-05 14:51:03 -04:00 · 2019-07-05 14:51:03 -04:00 · 66214eee85
commit 66214eee85
parent 155cad8b85
2 changed files with 15 additions and 17 deletions
--- a/app/mailers/invite_mailer.rb
+++ b/app/mailers/invite_mailer.rb
@ -20,6 +20,9 @@ class InviteMailer < ActionMailer::Base
      inviter_name = "#{invite.invited_by.name} (#{invite.invited_by.username})"
    end

+    sanitized_message = invite.custom_message.present? ?
+      ActionView::Base.full_sanitizer.sanitize(invite.custom_message.gsub(/\n+/, " ").strip) : nil
+
    # If they were invited to a topic
    if first_topic.present?
      # get topic excerpt
@ -28,11 +31,6 @@ class InviteMailer < ActionMailer::Base
        topic_excerpt = first_topic.excerpt.tr("\n", " ")
      end

-      template = 'invite_mailer'
-      if invite.custom_message.present?
-        template = 'custom_invite_mailer'
-      end
-
      topic_title = first_topic.try(:title)
      if SiteSetting.private_email?
        topic_title = I18n.t("system_messages.private_topic_title", id: first_topic.id)
@ -40,7 +38,7 @@ class InviteMailer < ActionMailer::Base
      end

      build_email(invite.email,
-                  template: template,
+                  template: sanitized_message ? 'custom_invite_mailer' : 'invite_mailer',
                  inviter_name: inviter_name,
                  site_domain_name: Discourse.current_hostname,
                  invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
@ -48,21 +46,16 @@ class InviteMailer < ActionMailer::Base
                  topic_excerpt: topic_excerpt,
                  site_description: SiteSetting.site_description,
                  site_title: SiteSetting.title,
-                  user_custom_message: invite.custom_message)
+                  user_custom_message: sanitized_message)
    else
-      template = 'invite_forum_mailer'
-      if invite.custom_message.present?
-        template = 'custom_invite_forum_mailer'
-      end
-
      build_email(invite.email,
-                  template: template,
+                  template: sanitized_message ? 'custom_invite_forum_mailer' : 'invite_forum_mailer',
                  inviter_name: inviter_name,
                  site_domain_name: Discourse.current_hostname,
                  invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
                  site_description: SiteSetting.site_description,
                  site_title: SiteSetting.title,
-                  user_custom_message: invite.custom_message)
+                  user_custom_message: sanitized_message)
    end
  end

--- a/spec/mailers/invite_mailer_spec.rb
+++ b/spec/mailers/invite_mailer_spec.rb
@ -38,7 +38,12 @@ describe InviteMailer do
      end

      context "custom invite message" do
-        fab!(:invite) { Fabricate(:invite, custom_message: "Hey, you should join this forum!") }
+        fab!(:invite) {
+          Fabricate(
+            :invite,
+            custom_message: "Hey, you <b>should</b> join this forum!\n\nWelcome!"
+          )
+        }

        context "custom message includes invite link" do
          let(:custom_invite_mail) { InviteMailer.send_invite(invite) }
@ -59,8 +64,8 @@ describe InviteMailer do
            expect(custom_invite_mail.body).to be_present
          end

-          it 'renders custom_message' do
-            expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum!")
+          it 'renders custom_message, stripping HTML' do
+            expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum! Welcome!")
          end

          it 'renders the inviter email' do