fix: sanitise workspace/base name in invite email

packages/nocodb/src/services/base-users/base-users.service.ts

@@ -22,6 +22,7 @@ import { Base, BaseUser, User } from '~/models';
 import { MetaTable } from '~/utils/globals';
 import { extractProps } from '~/helpers/extractProps';
 import { getProjectRolePower } from '~/utils/roleHelper';
+import { sanitiseEmailContent } from '~/utils';
 
 @Injectable()
 export class BaseUsersService {
@@ -361,11 +362,13 @@ export class BaseUsersService {
             signupLink: `${req.ncSiteUrl}${
               Noco.getConfig()?.dashboardPath
             }#/signup/${token}`,
-            baseName: req.body?.baseName,
-            roles: (req.body?.roles || '')
-              .split(',')
-              .map((r) => r.replace(/^./, (m) => m.toUpperCase()))
-              .join(', '),
+            baseName: sanitiseEmailContent(req.body?.baseName),
+            roles: sanitiseEmailContent(
+              (req.body?.roles || '')
+                .split(',')
+                .map((r) => r.replace(/^./, (m) => m.toUpperCase()))
+                .join(', '),
+            ),
             adminEmail: req.user?.email,
           }),
         });

packages/nocodb/src/utils/emailUtils.ts

@@ -0,0 +1,19 @@
+// html encode string
+const encode = (str) => {
+  const buf = [];
+
+  for (let i = str.length - 1; i >= 0; i--) {
+    const encoded = ['&#', str[i].charCodeAt(), ';'].join('');
+    buf.unshift(encoded);
+  }
+
+  return buf.join('');
+};
+
+// a method to sanitise content and avoid any link/url injection in email content and html encode special chars
+// for example: example.com to be converted as example<span>.<span>com
+export const sanitiseEmailContent = (content: string) => {
+  return content
+    .replace(/[<>&;?#,'"$]+/g, encode)
+    .replace(/\.|\/\/:/g, '<span>$&</span>');
+};

packages/nocodb/src/utils/index.ts

@@ -1,4 +1,5 @@
 export * from './dataUtils';
 export * from './sanitiseUserObj';
+export * from './emailUtils';
 
 export const isEE = false;