SECURITY: Strip HTML from invite emails

SECURITY: Strip HTML from invite emails

We also strip new lines from the emails because it ruins the markdown formatting which expects a one line message.

diff --git a/app/mailers/invite_mailer.rb b/app/mailers/invite_mailer.rb
index 79157dc..4c12e69 100644
--- a/app/mailers/invite_mailer.rb
+++ b/app/mailers/invite_mailer.rb
@@ -20,6 +20,9 @@ class InviteMailer < ActionMailer::Base
       inviter_name = "#{invite.invited_by.name} (#{invite.invited_by.username})"
     end
 
+    sanitized_message = invite.custom_message.present? ?
+      ActionView::Base.full_sanitizer.sanitize(invite.custom_message.gsub(/\n+/, " ").strip) : nil
+
     # If they were invited to a topic
     if first_topic.present?
       # get topic excerpt
@@ -28,11 +31,6 @@ class InviteMailer < ActionMailer::Base
         topic_excerpt = first_topic.excerpt.tr("\n", " ")
       end
 
-      template = 'invite_mailer'
-      if invite.custom_message.present?
-        template = 'custom_invite_mailer'
-      end
-
       topic_title = first_topic.try(:title)
       if SiteSetting.private_email?
         topic_title = I18n.t("system_messages.private_topic_title", id: first_topic.id)
@@ -40,7 +38,7 @@ class InviteMailer < ActionMailer::Base
       end
 
       build_email(invite.email,
-                  template: template,
+                  template: sanitized_message ? 'custom_invite_mailer' : 'invite_mailer',
                   inviter_name: inviter_name,
                   site_domain_name: Discourse.current_hostname,
                   invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
@@ -48,21 +46,16 @@ class InviteMailer < ActionMailer::Base
                   topic_excerpt: topic_excerpt,
                   site_description: SiteSetting.site_description,
                   site_title: SiteSetting.title,
-                  user_custom_message: invite.custom_message)
+                  user_custom_message: sanitized_message)
     else
-      template = 'invite_forum_mailer'
-      if invite.custom_message.present?
-        template = 'custom_invite_forum_mailer'
-      end
-
       build_email(invite.email,
-                  template: template,
+                  template: sanitized_message ? 'custom_invite_forum_mailer' : 'invite_forum_mailer',
                   inviter_name: inviter_name,
                   site_domain_name: Discourse.current_hostname,
                   invite_link: "#{Discourse.base_url}/invites/#{invite.invite_key}",
                   site_description: SiteSetting.site_description,
                   site_title: SiteSetting.title,
-                  user_custom_message: invite.custom_message)
+                  user_custom_message: sanitized_message)
     end
   end
 
diff --git a/spec/mailers/invite_mailer_spec.rb b/spec/mailers/invite_mailer_spec.rb
index 1537994..b9dcbcf 100644
--- a/spec/mailers/invite_mailer_spec.rb
+++ b/spec/mailers/invite_mailer_spec.rb
@@ -38,7 +38,12 @@ describe InviteMailer do
       end
 
       context "custom invite message" do
-        fab!(:invite) { Fabricate(:invite, custom_message: "Hey, you should join this forum!") }
+        fab!(:invite) {
+          Fabricate(
+            :invite,
+            custom_message: "Hey, you <b>should</b> join this forum!\n\nWelcome!"
+          )
+        }
 
         context "custom message includes invite link" do
           let(:custom_invite_mail) { InviteMailer.send_invite(invite) }
@@ -59,8 +64,8 @@ describe InviteMailer do
             expect(custom_invite_mail.body).to be_present
           end
 
-          it 'renders custom_message' do
-            expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum!")
+          it 'renders custom_message, stripping HTML' do
+            expect(custom_invite_mail.body.encoded).to match("Hey, you should join this forum! Welcome!")
           end
 
           it 'renders the inviter email' do

GitHub sha: 66214eee

2 Likes