Skip to content

Fix XSS vulnerability in event invitation emails #2439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
olleolleolle merged 1 commit into from
Jan 21, 2026
Merged

Fix XSS vulnerability in event invitation emails #2439

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/views/event_invitation_mailer/invite_coach.html.haml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
%p.lead
We’re pleased to invite you to #{@event.name}. If you are able to attend, please RSVP using the link in this email below.
%p
#{@event.description.html_safe}.
#{sanitize(@event.description)}.

.content
%table{ bgcolor: '#FFFFFF' }
Expand Down
2 changes: 1 addition & 1 deletion app/views/event_invitation_mailer/invite_student.html.haml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
%p.lead
We’re excited to invite you to #{@event.name}. If you can come, please RSVP using the link in this email.
%p
#{@event.description.html_safe}.
#{sanitize(@event.description)}.

.content
%table{ bgcolor: '#FFFFFF' }
Expand Down
24 changes: 24 additions & 0 deletions spec/mailers/event_invitation_mailer_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,28 @@
expect(email.subject).to eq(email_subject)
expect(email.body.encoded).to match('hello@codebar.io')
end

describe 'XSS protection' do
let(:event_with_html) do
Fabricate(:event,
date_and_time: Time.zone.local(2017, 11, 12, 10, 0),
name: 'Test event',
description: '<script>alert("xss")</script><p>Safe content</p>')
end
let(:invitation_with_html) { Fabricate(:invitation, event: event_with_html, member: member) }

it 'sanitizes description in invite_student email' do
EventInvitationMailer.invite_student(event_with_html, member, invitation_with_html).deliver_now

expect(email.body.encoded).not_to include('<script>')
expect(email.body.encoded).to include('Safe content')
Copy link
Contributor

@mikej mikej Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be worth setting the expected text to <p>Safe content<p> to communicate that some HTML is allowed?

end

it 'sanitizes description in invite_coach email' do
EventInvitationMailer.invite_coach(event_with_html, member, invitation_with_html).deliver_now

expect(email.body.encoded).not_to include('<script>')
expect(email.body.encoded).to include('Safe content')
end
end
end