Add HTML escaping utility in email handler for enhanced security
- Introduced a utility function to escape HTML special characters in email content, preventing potential XSS vulnerabilities. - Updated email templates to utilize the escapeHtml function for user inputs, including name, email, message, IP address, and user agent. - Ensured that all dynamic content in emails is properly sanitized before being rendered, enhancing overall security and reliability.
This commit is contained in:
becarta
@@ -171,6 +171,16 @@ export async function sendEmail(to: string, subject: string, html: string, text:
|
||||
}
|
||||
}
|
||||
|
||||
// Utility to escape HTML special characters
|
||||
function escapeHtml(str: string): string {
|
||||
return str
|
||||
.replace(/&/g, '&')
|
||||
.replace(/</g, '<')
|
||||
.replace(/>/g, '>')
|
||||
.replace(/"/g, '"')
|
||||
.replace(/'/g, ''');
|
||||
}
|
||||
|
||||
// Send admin notification email
|
||||
export async function sendAdminNotification(
|
||||
name: string,
|
||||
@@ -195,7 +205,7 @@ export async function sendAdminNotification(
|
||||
return false;
|
||||
}
|
||||
|
||||
const subject = `New Contact Form Submission from ${name}`;
|
||||
const subject = `New Contact Form Submission from ${escapeHtml(name)}`;
|
||||
const html = `
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
@@ -271,19 +281,19 @@ export async function sendAdminNotification(
|
||||
<div class="content">
|
||||
<div class="field">
|
||||
<div class="field-label">Name</div>
|
||||
<div class="field-value">${name}</div>
|
||||
<div class="field-value">${escapeHtml(name)}</div>
|
||||
</div>
|
||||
<div class="field">
|
||||
<div class="field-label">Email</div>
|
||||
<div class="field-value">${email}</div>
|
||||
<div class="field-value">${escapeHtml(email)}</div>
|
||||
</div>
|
||||
<div class="field">
|
||||
<div class="field-label">Message</div>
|
||||
<div class="message-content">${message.replace(/\n/g, '<br>')}</div>
|
||||
<div class="message-content">${escapeHtml(message).replace(/\n/g, '<br>')}</div>
|
||||
</div>
|
||||
<div class="meta-info">
|
||||
${ipAddress ? `<div><strong>IP Address:</strong> ${ipAddress}</div>` : ''}
|
||||
${userAgent ? `<div><strong>User Agent:</strong> ${userAgent}</div>` : ''}
|
||||
${ipAddress ? `<div><strong>IP Address:</strong> ${escapeHtml(ipAddress)}</div>` : ''}
|
||||
${userAgent ? `<div><strong>User Agent:</strong> ${escapeHtml(userAgent)}</div>` : ''}
|
||||
<div><strong>Time:</strong> ${new Date().toLocaleString()}</div>
|
||||
</div>
|
||||
<div class="footer">
|
||||
@@ -387,12 +397,12 @@ export async function sendUserConfirmation(name: string, email: string, message:
|
||||
<h1>Thank you for your message</h1>
|
||||
</div>
|
||||
<div class="content">
|
||||
<p>Dear ${name},</p>
|
||||
<p>Dear ${escapeHtml(name)},</p>
|
||||
<p>Thank you for contacting ${WEBSITE_NAME}. We have received your message and will get back to you as soon as possible.</p>
|
||||
|
||||
<div class="message">
|
||||
<h3>Your Message:</h3>
|
||||
<p>${message.replace(/\n/g, '<br>')}</p>
|
||||
<p>${escapeHtml(message).replace(/\n/g, '<br>')}</p>
|
||||
</div>
|
||||
|
||||
<p>If you have any additional information to share, please don't hesitate to reply to this email.</p>
|
||||
|
||||
Reference in New Issue
Block a user