Browse Source

Merge pull request #8470 from nocodb/nc-fix/workspace-invite-email

fix: sanitise workspace/base name in invite email
pull/8475/head
Pranav C 6 months ago committed by GitHub
parent
commit
1c885412db
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
  1. 7
      packages/nocodb/src/services/base-users/base-users.service.ts
  2. 15
      packages/nocodb/src/utils/emailUtils.ts
  3. 1
      packages/nocodb/src/utils/index.ts

7
packages/nocodb/src/services/base-users/base-users.service.ts

@ -22,6 +22,7 @@ import { Base, BaseUser, User } from '~/models';
import { MetaTable } from '~/utils/globals';
import { extractProps } from '~/helpers/extractProps';
import { getProjectRolePower } from '~/utils/roleHelper';
import { sanitiseEmailContent } from '~/utils';
@Injectable()
export class BaseUsersService {
@ -361,11 +362,13 @@ export class BaseUsersService {
signupLink: `${req.ncSiteUrl}${
Noco.getConfig()?.dashboardPath
}#/signup/${token}`,
baseName: req.body?.baseName,
roles: (req.body?.roles || '')
baseName: sanitiseEmailContent(req.body?.baseName),
roles: sanitiseEmailContent(
(req.body?.roles || '')
.split(',')
.map((r) => r.replace(/^./, (m) => m.toUpperCase()))
.join(', '),
),
adminEmail: req.user?.email,
}),
});

15
packages/nocodb/src/utils/emailUtils.ts

@ -0,0 +1,15 @@
// html encode string
const encode = (str: string) => {
return str
?.split('')
.map((char) => `&#${char.charCodeAt(0)};`)
.join('');
};
// a method to sanitise content and avoid any link/url injection in email content and html encode special chars
// for example: example.com to be converted as example<span>.<span>com
export const sanitiseEmailContent = (content: string) => {
return content
.replace(/[<>&;?#,'"$]+/g, encode)
.replace(/\.|\/\/:/g, '<span>$&</span>');
};

1
packages/nocodb/src/utils/index.ts

@ -1,4 +1,5 @@
export * from './dataUtils';
export * from './sanitiseUserObj';
export * from './emailUtils';
export const isEE = false;

Loading…
Cancel
Save