Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ensure e-mail parameters are escaped to avoid XSS attacks.
  • Loading branch information
mschaef committed Oct 25, 2022
1 parent 5df8475 commit 1f27f37
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 21 deletions.
34 changes: 21 additions & 13 deletions src/toto/core/mail.clj
Expand Up @@ -19,29 +19,37 @@
;;
;; You must not remove this notice, or any other, from this software.


(ns toto.core.mail
(:use hiccup.core)
(:use toto.core.util)
(:require [clojure.tools.logging :as log]
[postal.core :as postal]))
[postal.core :as postal]
[hiccup.core :as hiccup]
[hiccup.util :as hiccup-util]))

(defn- escape-email-params [ params ]
(map-values #(if (string? %)
(hiccup-util/escape-html %)
"")
params))

(defn send-email [config message-info]
(let [smtp (:smtp config)
{to :to subject :subject content :content params :params} message-info
html-content (html [:html (if (fn? content)
(content (merge config (or params {})))
content)])]
{:keys [ to subject content params ]} message-info
html-content (hiccup/html
[:html
(content (escape-email-params
(merge {:base-url (:base-url config)}
(or params {}))))])]

(log/info "Sending mail to " to " with subject: " subject)
(cond
(not (:enabled smtp))
(do
(log/warn "E-mail disabled. Message not sent. Message text: ")
(log/warn html-content))
(log/warn "E-mail disabled. Message not sent. Message text: "
html-content)

(or (nil? to) (= (count to) 0))
(do
(log/warn "No destination e-mail address. Message not send. Message text: ")
(log/warn html-content))
(log/warn "No destination e-mail address. Message not send. Message text: "
html-content)

:else
(postal/send-message {:host (:host smtp)
Expand Down
4 changes: 4 additions & 0 deletions src/toto/core/util.clj
Expand Up @@ -155,3 +155,7 @@

(defmacro with-thread-name [ thread-name & body ]
`(call-with-thread-name (fn [] ~@body) ~thread-name))

(defn map-values [f m]
(->> (map (fn [[k v]] [k (f v)]) m)
(into {})))
6 changes: 3 additions & 3 deletions src/toto/site/user.clj
Expand Up @@ -178,7 +178,7 @@
[:h1
"Verification E-mail"]
[:p
"Thank you for registering with " [:a {:href (:base-url (:config params))} "Toto"]
"Thank you for registering with " [:a {:href (:base-url params)} "Toto"]
", the family to-do list manager. You can verify your e-mail address by clicking"
[:a {:href (:verify-link-url params)} " here"] "."]
[:p
Expand All @@ -200,7 +200,7 @@
"Unlock Password"]
[:p
"Click " [:a {:href (:verify-link-url params)} "here"] " to unlock your "
"account at " [:a {:href (:base-url (:config params))} "Toto"] ", the family "
"account at " [:a {:href (:base-url params)} "Toto"] ", the family "
"to-do list manager."]])

(defn- send-unlock-link [ config user-id ]
Expand All @@ -218,7 +218,7 @@
"Reset Password"]
[:p
"Click " [:a {:href (:verify-link-url params)} "here"]
" to reset your password at " [:a {:href (:base-url (:config params))} "Toto"]
" to reset your password at " [:a {:href (:base-url params)} "Toto"]
", the family to-do list manager."]])

(defn- send-reset-link [ config user-id ]
Expand Down
9 changes: 4 additions & 5 deletions src/toto/view/auth.clj
Expand Up @@ -102,15 +102,14 @@
(defn current-roles []
(:roles (friend/current-authentication)))


(defn password-change-message [ config ]
(let [from-mail (get-in config [:smtp :from])]
(defn password-change-message [ params ]
(let [ { :keys [ from-mail ]} params ]
[:body
[:h1
"Password Changed"]
[:p
"This mail confirms that you have changed the password for your "
"account at " [:a {:href (:base-url config)} "Toto"]
"account at " [:a {:href (:base-url params)} "Toto"]
", the family to-do list manager."]
[:p
"If this isn't something you've requested, please contact us"
Expand All @@ -121,7 +120,7 @@
{:to [ username ]
:subject "Todo - Password Changed"
:content password-change-message
:params config}))
:params { :from-mail (get-in config [:smtp :from]) }}))

(defn set-user-password [ config username password ]
(log/info "Changing password for user:" username)
Expand Down

0 comments on commit 1f27f37

Please sign in to comment.