fix: sanitize project/org name in invitation emails (#1898)

backend/app/src/test/kotlin/io/tolgee/api/v2/controllers/organizationController/OrganizationControllerInvitingTest.kt

@@ -172,6 +172,19 @@ class OrganizationControllerInvitingTest : AuthorizedControllerTest() {
     emailTestUtil.assertEmailTo.isEqualTo(INVITED_EMAIL)
   }
 
+  @Test
+  fun `e-mail is sanitized`() {
+    dummyDto.name = "Test org <a href='https://evil.local'>test</a>"
+    val organization = prepareTestOrganization()
+
+    inviteWithUserWithNameAndEmail(organization.id)
+    emailTestUtil.verifyEmailSent()
+
+    val messageContent = emailTestUtil.messageContents.single()
+    assertThat(messageContent).doesNotContain("<a href='https://evil.local")
+    assertThat(messageContent).contains("&lt;a href=&#39;https://evil.local")
+  }
+
   @Test
   fun `does not invite when email already invited`() {
     val organization = prepareTestOrganization()

backend/data/src/main/kotlin/io/tolgee/component/email/InvitationEmailSender.kt

@@ -4,6 +4,7 @@ import io.tolgee.component.FrontendUrlProvider
 import io.tolgee.dtos.misc.EmailParams
 import io.tolgee.model.Invitation
 import org.springframework.stereotype.Component
+import org.springframework.web.util.HtmlUtils
 
 @Component
 class InvitationEmailSender(
@@ -45,8 +46,10 @@ class InvitationEmailSender(
     }
 
     val name = projectNameOrNull ?: organizationNameOrNull
+      ?: throw IllegalStateException("Both the organization and the project are null??")
 
-    return "You have been invited to $toWhat $name in Tolgee."
+    val escapedName = HtmlUtils.htmlEscape(name)
+    return "You have been invited to $toWhat $escapedName in Tolgee."
   }
 
   private fun getInvitationAcceptUrl(code: String): String {