diff --git a/app/views/event_invitation_mailer/invite_coach.html.haml b/app/views/event_invitation_mailer/invite_coach.html.haml
index 584cd989c..b38fd4200 100644
--- a/app/views/event_invitation_mailer/invite_coach.html.haml
+++ b/app/views/event_invitation_mailer/invite_coach.html.haml
@@ -16,7 +16,7 @@
%p.lead
We’re pleased to invite you to #{@event.name}. If you are able to attend, please RSVP using the link in this email below.
%p
- #{@event.description.html_safe}.
+ #{sanitize(@event.description)}.
.content
%table{ bgcolor: '#FFFFFF' }
diff --git a/app/views/event_invitation_mailer/invite_student.html.haml b/app/views/event_invitation_mailer/invite_student.html.haml
index a3f473890..d26b3782f 100644
--- a/app/views/event_invitation_mailer/invite_student.html.haml
+++ b/app/views/event_invitation_mailer/invite_student.html.haml
@@ -16,7 +16,7 @@
%p.lead
We’re excited to invite you to #{@event.name}. If you can come, please RSVP using the link in this email.
%p
- #{@event.description.html_safe}.
+ #{sanitize(@event.description)}.
.content
%table{ bgcolor: '#FFFFFF' }
diff --git a/spec/mailers/event_invitation_mailer_spec.rb b/spec/mailers/event_invitation_mailer_spec.rb
index 99b53c57e..3ae8a134b 100644
--- a/spec/mailers/event_invitation_mailer_spec.rb
+++ b/spec/mailers/event_invitation_mailer_spec.rb
@@ -38,4 +38,28 @@
expect(email.subject).to eq(email_subject)
expect(email.body.encoded).to match('hello@codebar.io')
end
+
+ describe 'XSS protection' do
+ let(:event_with_html) do
+ Fabricate(:event,
+ date_and_time: Time.zone.local(2017, 11, 12, 10, 0),
+ name: 'Test event',
+ description: 'Safe content
')
+ end
+ let(:invitation_with_html) { Fabricate(:invitation, event: event_with_html, member: member) }
+
+ it 'sanitizes description in invite_student email' do
+ EventInvitationMailer.invite_student(event_with_html, member, invitation_with_html).deliver_now
+
+ expect(email.body.encoded).not_to include('