fix(ZNTA-544): incoming email message to plaintext

Incoming messages should be plaintext, to avoid malicious links hidden in anchors
zanata · May 16, 2018 · 6d4d331 · 6d4d331
1 parent 262358c
commit 6d4d331
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 10 deletions.
diff --git a/server/services/src/main/java/org/zanata/email/ContactAdminAnonymousEmailStrategy.java b/server/services/src/main/java/org/zanata/email/ContactAdminAnonymousEmailStrategy.java
@@ -52,8 +52,9 @@ public Map<String, Object> makeContext(Map<String, Object> genericContext,
             InternetAddress[] toAddresses) {
         Map<String, Object> context =
                 super.makeContext(genericContext, toAddresses);
-        String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage);
-        return context.put("ipAddress", ipAddress).put("htmlMessage", safeHTML);
+        String plainText = HtmlUtil.htmlToText(
+                HtmlUtil.SANITIZER.sanitize(htmlMessage));
+        return context.put("ipAddress", ipAddress).put("htmlMessage", plainText);
     }
 
     @java.beans.ConstructorProperties({ "ipAddress", "userSubject",

diff --git a/server/services/src/main/java/org/zanata/email/ContactAdminEmailStrategy.java b/server/services/src/main/java/org/zanata/email/ContactAdminEmailStrategy.java
@@ -59,10 +59,11 @@ public Map<String, Object> makeContext(Map<String, Object> genericContext,
             InternetAddress[] toAddresses) {
         Map<String, Object> context =
                 super.makeContext(genericContext, toAddresses);
-        String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage);
+        String plainText = HtmlUtil.htmlToText(
+                HtmlUtil.SANITIZER.sanitize(htmlMessage));
         return context.put("fromLoginName", fromLoginName)
                 .put("fromName", fromName).put("replyEmail", replyEmail)
-                .put("htmlMessage", safeHTML);
+                .put("htmlMessage", plainText);
     }
 
     @java.beans.ConstructorProperties({ "fromLoginName", "fromName",

diff --git a/server/services/src/main/java/org/zanata/email/ContactLanguageCoordinatorEmailStrategy.java b/server/services/src/main/java/org/zanata/email/ContactLanguageCoordinatorEmailStrategy.java
@@ -62,13 +62,14 @@ public Map<String, Object> makeContext(Map<String, Object> genericContext,
             InternetAddress[] toAddresses) {
         Map<String, Object> context =
                 super.makeContext(genericContext, toAddresses);
-        String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage);
+        String plainText = HtmlUtil.htmlToText(
+                HtmlUtil.SANITIZER.sanitize(htmlMessage));
         return context.put("receiver", receiver)
                 .put("fromLoginName", fromLoginName)
                 .put("fromName", fromName).put("replyEmail", replyEmail)
                 .put("localeId", localeId)
                 .put("localeNativeName", localeNativeName)
-                .put("htmlMessage", safeHTML);
+                .put("htmlMessage", plainText);
     }
 
     @java.beans.ConstructorProperties({ "receiver", "fromLoginName", "fromName",

diff --git a/server/services/src/main/java/org/zanata/email/RequestToJoinLanguageEmailStrategy.java b/server/services/src/main/java/org/zanata/email/RequestToJoinLanguageEmailStrategy.java
@@ -25,6 +25,7 @@
 import org.zanata.i18n.Messages;
 import org.zanata.util.HtmlUtil;
 import javax.mail.internet.InternetAddress;
+
 import static org.zanata.email.Addresses.getReplyTo;
 
 /**
@@ -63,12 +64,13 @@ public Map<String, Object> makeContext(Map<String, Object> genericContext,
             InternetAddress[] toAddresses) {
         Map<String, Object> context =
                 super.makeContext(genericContext, toAddresses);
-        String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage);
+        String plainText = HtmlUtil.htmlToText(
+                HtmlUtil.SANITIZER.sanitize(htmlMessage));
         return context.put("fromLoginName", fromLoginName)
                 .put("fromName", fromName).put("replyEmail", replyEmail)
                 .put("localeId", localeId)
                 .put("localeNativeName", localeNativeName)
-                .put("htmlMessage", safeHTML)
+                .put("htmlMessage", plainText)
                 .put("requestAsTranslator", requestAsTranslator)
                 .put("requestAsReviewer", requestAsReviewer)
                 .put("requestAsCoordinator", requestAsCoordinator);

diff --git a/server/services/src/main/java/org/zanata/email/RequestToJoinVersionGroupEmailStrategy.java b/server/services/src/main/java/org/zanata/email/RequestToJoinVersionGroupEmailStrategy.java
@@ -62,12 +62,13 @@ public Map<String, Object> makeContext(Map<String, Object> genericContext,
             InternetAddress[] toAddresses) {
         Map<String, Object> context =
                 super.makeContext(genericContext, toAddresses);
-        String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage);
+        String plainText = HtmlUtil.htmlToText(
+                HtmlUtil.SANITIZER.sanitize(htmlMessage));
         return context.put("fromLoginName", fromLoginName)
                 .put("fromName", fromName).put("replyEmail", replyEmail)
                 .put("groupName", groupName).put("versionGroupSlug", groupSlug)
                 .put("projectIterationIds", projectIterationIds)
-                .put("htmlMessage", safeHTML);
+                .put("htmlMessage", plainText);
     }
 
     @java.beans.ConstructorProperties({ "fromLoginName", "fromName",