SECURITY: Strip HTML from invite emails

We also strip new lines from the emails because it ruins the markdown formatting which expects a one line message.
2025-02-25 18:55:32 -06:00 · 2019-07-05 14:51:03 -04:00
parent 155cad8b85
commit 66214eee85
2 changed files with 15 additions and 17 deletions
--- a/app/mailers/invite_mailer.rb
+++ b/app/mailers/invite_mailer.rb
@@ -20,6 +20,9 @@ class InviteMailer < ActionMailer::Base
      inviter_name = "#{invite.invited_by.name} (#{invite.invited_by.username})"
    end

+    sanitized_message = invite.custom_message.present? ?
+      ActionView::Base.full_sanitizer.sanitize(invite.custom_message.gsub(/\n+/, " ").strip) : nil
+
    # If they were invited to a topic
    if first_topic.present?
      # get topic excerpt
@@ -28,11 +31,6 @@ class InviteMailer < ActionMailer::Base
        topic_excerpt = first_topic.excerpt.tr("\n", " ")
      end

-      template = 'invite_mailer'
-      if invite.custom_message.present?
-        template = 'custom_invite_mailer'
-      end
-
      topic_title = first_topic.try(:title)
      if SiteSetting.private_email?
        topic_title = I18n.t("system_messages.private_topic_title", id: first_topic.id)
@@ -40,7 +38,7 @@ class InviteMailer < ActionMailer::Base
      end

      build_email(invite.email,
-                  template: template,
+                  template: sanitized_message ? 'custom_invite_mailer' : 'invite_mailer',
                  inviter_name: inviter_name,
                  site_domain_name: Discourse.current_hostname,
                  invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
@@ -48,21 +46,16 @@ class InviteMailer < ActionMailer::Base
                  topic_excerpt: topic_excerpt,
                  site_description: SiteSetting.site_description,
                  site_title: SiteSetting.title,
-                  user_custom_message: invite.custom_message)
+                  user_custom_message: sanitized_message)
    else
-      template = 'invite_forum_mailer'
-      if invite.custom_message.present?
-        template = 'custom_invite_forum_mailer'
-      end
-
      build_email(invite.email,
-                  template: template,
+                  template: sanitized_message ? 'custom_invite_forum_mailer' : 'invite_forum_mailer',
                  inviter_name: inviter_name,
                  site_domain_name: Discourse.current_hostname,
                  invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
                  site_description: SiteSetting.site_description,
                  site_title: SiteSetting.title,
-                  user_custom_message: invite.custom_message)
+                  user_custom_message: sanitized_message)
    end
  end