From 877fa21a092e3496f33e417621a8cb4fdf41eb4d Mon Sep 17 00:00:00 2001
From: Morgan Roderick <morgan@roderick.dk>
Date: Tue, 20 Jan 2026 19:19:06 +0100
Subject: [PATCH] Fix XSS vulnerability in event invitation emails

Replace `.html_safe` with `sanitize()` for event descriptions in email
templates to prevent potential XSS attacks while still allowing safe HTML
formatting tags.

Changes:
- Replace @event.description.html_safe with sanitize(@event.description)
  in invite_student.html.haml
- Replace @event.description.html_safe with sanitize(@event.description)
  in invite_coach.html.haml
- Add XSS protection test specs to verify dangerous tags are stripped
  while safe content is preserved

The sanitize helper uses Rails' built-in SafeListSanitizer which:
- Strips dangerous tags like <script> and event handlers (onclick, etc.)
- Allows safe HTML formatting tags (p, strong, em, a, br, etc.)
- Matches the pattern already used in non-email views throughout the codebase

Security: Fixes potential XSS vulnerability where malicious HTML/JavaScript
in event descriptions could be executed in invitation emails.
---
 .../invite_coach.html.haml                    |  2 +-
 .../invite_student.html.haml                  |  2 +-
 spec/mailers/event_invitation_mailer_spec.rb  | 24 +++++++++++++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/app/views/event_invitation_mailer/invite_coach.html.haml b/app/views/event_invitation_mailer/invite_coach.html.haml
index 584cd989c..b38fd4200 100644
--- a/app/views/event_invitation_mailer/invite_coach.html.haml
+++ b/app/views/event_invitation_mailer/invite_coach.html.haml
@@ -16,7 +16,7 @@
                 %p.lead
                   We’re pleased to invite you to #{@event.name}. If you are able to attend, please RSVP using the link in this email below.
                 %p
-                  #{@event.description.html_safe}.
+                  #{sanitize(@event.description)}.
 
         .content
           %table{ bgcolor: '#FFFFFF' }
diff --git a/app/views/event_invitation_mailer/invite_student.html.haml b/app/views/event_invitation_mailer/invite_student.html.haml
index a3f473890..d26b3782f 100644
--- a/app/views/event_invitation_mailer/invite_student.html.haml
+++ b/app/views/event_invitation_mailer/invite_student.html.haml
@@ -16,7 +16,7 @@
                 %p.lead
                   We’re excited to invite you to #{@event.name}. If you can come, please RSVP using the link in this email.
                 %p
-                  #{@event.description.html_safe}.
+                  #{sanitize(@event.description)}.
 
         .content
           %table{ bgcolor: '#FFFFFF' }
diff --git a/spec/mailers/event_invitation_mailer_spec.rb b/spec/mailers/event_invitation_mailer_spec.rb
index 99b53c57e..3ae8a134b 100644
--- a/spec/mailers/event_invitation_mailer_spec.rb
+++ b/spec/mailers/event_invitation_mailer_spec.rb
@@ -38,4 +38,28 @@
     expect(email.subject).to eq(email_subject)
     expect(email.body.encoded).to match('hello@codebar.io')
   end
+
+  describe 'XSS protection' do
+    let(:event_with_html) do
+      Fabricate(:event,
+        date_and_time: Time.zone.local(2017, 11, 12, 10, 0),
+        name: 'Test event',
+        description: '<script>alert("xss")</script><p>Safe content</p>')
+    end
+    let(:invitation_with_html) { Fabricate(:invitation, event: event_with_html, member: member) }
+
+    it 'sanitizes description in invite_student email' do
+      EventInvitationMailer.invite_student(event_with_html, member, invitation_with_html).deliver_now
+
+      expect(email.body.encoded).not_to include('<script>')
+      expect(email.body.encoded).to include('Safe content')
+    end
+
+    it 'sanitizes description in invite_coach email' do
+      EventInvitationMailer.invite_coach(event_with_html, member, invitation_with_html).deliver_now
+
+      expect(email.body.encoded).not_to include('<script>')
+      expect(email.body.encoded).to include('Safe content')
+    end
+  end
 end