Fix XSS vulnerability in event invitation emails #2439
+26
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Replace `.html_safe` with `sanitize()` for event descriptions in email templates to prevent potential XSS attacks while still allowing safe HTML formatting tags. Changes: - Replace @event.description.html_safe with sanitize(@event.description) in invite_student.html.haml - Replace @event.description.html_safe with sanitize(@event.description) in invite_coach.html.haml - Add XSS protection test specs to verify dangerous tags are stripped while safe content is preserved The sanitize helper uses Rails' built-in SafeListSanitizer which: - Strips dangerous tags like <script> and event handlers (onclick, etc.) - Allows safe HTML formatting tags (p, strong, em, a, br, etc.) - Matches the pattern already used in non-email views throughout the codebase Security: Fixes potential XSS vulnerability where malicious HTML/JavaScript in event descriptions could be executed in invitation emails.
mikej
suggested changes
Jan 20, 2026
| EventInvitationMailer.invite_student(event_with_html, member, invitation_with_html).deliver_now | ||
|
|
||
| expect(email.body.encoded).not_to include('<script>') | ||
| expect(email.body.encoded).to include('Safe content') |
Contributor
There was a problem hiding this comment.
Could be worth setting the expected text to <p>Safe content<p> to communicate that some HTML is allowed?
Contributor
|
Looks good. Just one suggestion about a possible improvement to the tests. Happy for this to be merged as-is if you prefer though. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a solution for #2436.
Summary
Fixes a security vulnerability where event descriptions using
.html_safecould allow XSS attacks in invitation emails.Changes
@event.description.html_safewithsanitize(@event.description)in:app/views/event_invitation_mailer/invite_student.html.haml:19app/views/event_invitation_mailer/invite_coach.html.haml:19spec/mailers/event_invitation_mailer_spec.rbSecurity Impact
The
sanitize()helper:<script>and event handlers (onclick, etc.)<p>,<strong>,<em>,<a>,<br>, etc.)SafeListSanitizerwith secure defaultsTest Plan
sanitizeNotes
This PR is marked as draft to validate tests pass in CI. Local test setup not available.
Related files NOT changed (for future consideration):
.html_safeon descriptions.html_safefor i18n strings with links