Hyperlink Injection in People Invitation Emails (#2307)

* Strip special characters

* Allow hyphens

src/lib/services/email-service.test.ts

@@ -80,3 +80,24 @@ test('Can supply additional SMTP transport options', async () => {
         },
     });
 });
+
+test('should strip special characters from email subject', async () => {
+    const emailService = new EmailService(
+        {
+            host: 'test',
+            port: 9999,
+            secure: false,
+            sender: 'noreply@getunleash.ai',
+            smtpuser: '',
+            smtppass: '',
+        },
+        noLoggerProvider,
+    );
+    expect(emailService.stripSpecialCharacters('http://evil.com')).toBe(
+        'httpevilcom',
+    );
+    expect(emailService.stripSpecialCharacters('http://ööbik.com')).toBe(
+        'httpööbikcom',
+    );
+    expect(emailService.stripSpecialCharacters('tom-jones')).toBe('tom-jones');
+});

src/lib/services/email-service.ts

@@ -138,7 +138,12 @@ export class EmailService {
     ): Promise<IEmailEnvelope> {
         if (this.configured()) {
             const year = new Date().getFullYear();
-            const context = { passwordLink, name, year, unleashUrl };
+            const context = {
+                passwordLink,
+                name: this.stripSpecialCharacters(name),
+                year,
+                unleashUrl,
+            };
             const bodyHtml = await this.compileTemplate(
                 'getting-started',
                 TemplateFormat.HTML,
@@ -222,4 +227,8 @@ export class EmailService {
     configured(): boolean {
         return this.sender !== 'not-configured' && this.mailer !== undefined;
     }
+
+    stripSpecialCharacters(str: string): string {
+        return str?.replace(/[`~!@#$%^&*()_|+=?;:'",.<>\{\}\[\]\\\/]/gi, '');
+    }
 }