From d32d70399f7dd5ae2900db162052378dfb877942 Mon Sep 17 00:00:00 2001
From: becarta <github.devotee752@passmail.net>
Date: Fri, 13 Jun 2025 00:02:48 +0200
Subject: [PATCH] Add HTML escaping utility in email handler for enhanced
 security

- Introduced a utility function to escape HTML special characters in email content, preventing potential XSS vulnerabilities.
- Updated email templates to utilize the escapeHtml function for user inputs, including name, email, message, IP address, and user agent.
- Ensured that all dynamic content in emails is properly sanitized before being rendered, enhancing overall security and reliability.
---
 src/utils/email-handler.ts | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/utils/email-handler.ts b/src/utils/email-handler.ts
index 7137ca8..41c6756 100644
--- a/src/utils/email-handler.ts
+++ b/src/utils/email-handler.ts
@@ -171,6 +171,16 @@ export async function sendEmail(to: string, subject: string, html: string, text:
   }
 }
 
+// Utility to escape HTML special characters
+function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 // Send admin notification email
 export async function sendAdminNotification(
   name: string,
@@ -195,7 +205,7 @@ export async function sendAdminNotification(
     return false;
   }
 
-  const subject = `New Contact Form Submission from ${name}`;
+  const subject = `New Contact Form Submission from ${escapeHtml(name)}`;
   const html = `
     <!DOCTYPE html>
     <html>
@@ -271,19 +281,19 @@ export async function sendAdminNotification(
       <div class="content">
         <div class="field">
           <div class="field-label">Name</div>
-          <div class="field-value">${name}</div>
+          <div class="field-value">${escapeHtml(name)}</div>
         </div>
         <div class="field">
           <div class="field-label">Email</div>
-          <div class="field-value">${email}</div>
+          <div class="field-value">${escapeHtml(email)}</div>
         </div>
         <div class="field">
           <div class="field-label">Message</div>
-          <div class="message-content">${message.replace(/\n/g, '<br>')}</div>
+          <div class="message-content">${escapeHtml(message).replace(/\n/g, '<br>')}</div>
         </div>
         <div class="meta-info">
-          ${ipAddress ? `<div><strong>IP Address:</strong> ${ipAddress}</div>` : ''}
-          ${userAgent ? `<div><strong>User Agent:</strong> ${userAgent}</div>` : ''}
+          ${ipAddress ? `<div><strong>IP Address:</strong> ${escapeHtml(ipAddress)}</div>` : ''}
+          ${userAgent ? `<div><strong>User Agent:</strong> ${escapeHtml(userAgent)}</div>` : ''}
           <div><strong>Time:</strong> ${new Date().toLocaleString()}</div>
         </div>
         <div class="footer">
@@ -387,12 +397,12 @@ export async function sendUserConfirmation(name: string, email: string, message:
         <h1>Thank you for your message</h1>
       </div>
       <div class="content">
-        <p>Dear ${name},</p>
+        <p>Dear ${escapeHtml(name)},</p>
         <p>Thank you for contacting ${WEBSITE_NAME}. We have received your message and will get back to you as soon as possible.</p>
         
         <div class="message">
           <h3>Your Message:</h3>
-          <p>${message.replace(/\n/g, '<br>')}</p>
+          <p>${escapeHtml(message).replace(/\n/g, '<br>')}</p>
         </div>
 
         <p>If you have any additional information to share, please don't hesitate to reply to this email.</p>