Merge pull request #8470 from nocodb/nc-fix/workspace-invite-email

fix: sanitise workspace/base name in invite email

packages/nocodb/src/services/base-users/base-users.service.ts

@@ -22,6 +22,7 @@ import { Base, BaseUser, User } from '~/models';
 import { MetaTable } from '~/utils/globals';
 import { extractProps } from '~/helpers/extractProps';
 import { getProjectRolePower } from '~/utils/roleHelper';
+import { sanitiseEmailContent } from '~/utils';
 
 @Injectable()
 export class BaseUsersService {
@@ -361,11 +362,13 @@ export class BaseUsersService {
             signupLink: `${req.ncSiteUrl}${
               Noco.getConfig()?.dashboardPath
             }#/signup/${token}`,
-            baseName: req.body?.baseName,
-            roles: (req.body?.roles || '')
-              .split(',')
-              .map((r) => r.replace(/^./, (m) => m.toUpperCase()))
-              .join(', '),
+            baseName: sanitiseEmailContent(req.body?.baseName),
+            roles: sanitiseEmailContent(
+              (req.body?.roles || '')
+                .split(',')
+                .map((r) => r.replace(/^./, (m) => m.toUpperCase()))
+                .join(', '),
+            ),
             adminEmail: req.user?.email,
           }),
         });

packages/nocodb/src/utils/emailUtils.ts

@@ -0,0 +1,15 @@
+// html encode string
+const encode = (str: string) => {
+  return str
+    ?.split('')
+    .map((char) => `&#${char.charCodeAt(0)};`)
+    .join('');
+};
+
+// a method to sanitise content and avoid any link/url injection in email content and html encode special chars
+// for example: example.com to be converted as example<span>.<span>com
+export const sanitiseEmailContent = (content: string) => {
+  return content
+    .replace(/[<>&;?#,'"$]+/g, encode)
+    .replace(/\.|\/\/:/g, '<span>$&</span>');
+};

packages/nocodb/src/utils/index.ts

@@ -1,4 +1,5 @@
 export * from './dataUtils';
 export * from './sanitiseUserObj';
+export * from './emailUtils';
 
 export const isEE = false;