From 6d4d331542011ee1674893067034db3d7084be43 Mon Sep 17 00:00:00 2001 From: Damian Jansen Date: Fri, 11 May 2018 15:59:30 +1000 Subject: [PATCH] fix(ZNTA-544): incoming email message to plaintext Incoming messages should be plaintext, to avoid malicious links hidden in anchors --- .../zanata/email/ContactAdminAnonymousEmailStrategy.java | 5 +++-- .../java/org/zanata/email/ContactAdminEmailStrategy.java | 5 +++-- .../email/ContactLanguageCoordinatorEmailStrategy.java | 5 +++-- .../zanata/email/RequestToJoinLanguageEmailStrategy.java | 6 ++++-- .../email/RequestToJoinVersionGroupEmailStrategy.java | 5 +++-- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/server/services/src/main/java/org/zanata/email/ContactAdminAnonymousEmailStrategy.java b/server/services/src/main/java/org/zanata/email/ContactAdminAnonymousEmailStrategy.java index d64bdf5f87c..ac314772e1e 100644 --- a/server/services/src/main/java/org/zanata/email/ContactAdminAnonymousEmailStrategy.java +++ b/server/services/src/main/java/org/zanata/email/ContactAdminAnonymousEmailStrategy.java @@ -52,8 +52,9 @@ public Map makeContext(Map genericContext, InternetAddress[] toAddresses) { Map context = super.makeContext(genericContext, toAddresses); - String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage); - return context.put("ipAddress", ipAddress).put("htmlMessage", safeHTML); + String plainText = HtmlUtil.htmlToText( + HtmlUtil.SANITIZER.sanitize(htmlMessage)); + return context.put("ipAddress", ipAddress).put("htmlMessage", plainText); } @java.beans.ConstructorProperties({ "ipAddress", "userSubject", diff --git a/server/services/src/main/java/org/zanata/email/ContactAdminEmailStrategy.java b/server/services/src/main/java/org/zanata/email/ContactAdminEmailStrategy.java index f7fdaeb7458..8c6439de4dc 100644 --- a/server/services/src/main/java/org/zanata/email/ContactAdminEmailStrategy.java +++ b/server/services/src/main/java/org/zanata/email/ContactAdminEmailStrategy.java @@ -59,10 +59,11 @@ public Map makeContext(Map genericContext, InternetAddress[] toAddresses) { Map context = super.makeContext(genericContext, toAddresses); - String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage); + String plainText = HtmlUtil.htmlToText( + HtmlUtil.SANITIZER.sanitize(htmlMessage)); return context.put("fromLoginName", fromLoginName) .put("fromName", fromName).put("replyEmail", replyEmail) - .put("htmlMessage", safeHTML); + .put("htmlMessage", plainText); } @java.beans.ConstructorProperties({ "fromLoginName", "fromName", diff --git a/server/services/src/main/java/org/zanata/email/ContactLanguageCoordinatorEmailStrategy.java b/server/services/src/main/java/org/zanata/email/ContactLanguageCoordinatorEmailStrategy.java index dc5d40ac057..73c6bea0b2f 100644 --- a/server/services/src/main/java/org/zanata/email/ContactLanguageCoordinatorEmailStrategy.java +++ b/server/services/src/main/java/org/zanata/email/ContactLanguageCoordinatorEmailStrategy.java @@ -62,13 +62,14 @@ public Map makeContext(Map genericContext, InternetAddress[] toAddresses) { Map context = super.makeContext(genericContext, toAddresses); - String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage); + String plainText = HtmlUtil.htmlToText( + HtmlUtil.SANITIZER.sanitize(htmlMessage)); return context.put("receiver", receiver) .put("fromLoginName", fromLoginName) .put("fromName", fromName).put("replyEmail", replyEmail) .put("localeId", localeId) .put("localeNativeName", localeNativeName) - .put("htmlMessage", safeHTML); + .put("htmlMessage", plainText); } @java.beans.ConstructorProperties({ "receiver", "fromLoginName", "fromName", diff --git a/server/services/src/main/java/org/zanata/email/RequestToJoinLanguageEmailStrategy.java b/server/services/src/main/java/org/zanata/email/RequestToJoinLanguageEmailStrategy.java index 65fa987b0e7..3a870e92330 100644 --- a/server/services/src/main/java/org/zanata/email/RequestToJoinLanguageEmailStrategy.java +++ b/server/services/src/main/java/org/zanata/email/RequestToJoinLanguageEmailStrategy.java @@ -25,6 +25,7 @@ import org.zanata.i18n.Messages; import org.zanata.util.HtmlUtil; import javax.mail.internet.InternetAddress; + import static org.zanata.email.Addresses.getReplyTo; /** @@ -63,12 +64,13 @@ public Map makeContext(Map genericContext, InternetAddress[] toAddresses) { Map context = super.makeContext(genericContext, toAddresses); - String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage); + String plainText = HtmlUtil.htmlToText( + HtmlUtil.SANITIZER.sanitize(htmlMessage)); return context.put("fromLoginName", fromLoginName) .put("fromName", fromName).put("replyEmail", replyEmail) .put("localeId", localeId) .put("localeNativeName", localeNativeName) - .put("htmlMessage", safeHTML) + .put("htmlMessage", plainText) .put("requestAsTranslator", requestAsTranslator) .put("requestAsReviewer", requestAsReviewer) .put("requestAsCoordinator", requestAsCoordinator); diff --git a/server/services/src/main/java/org/zanata/email/RequestToJoinVersionGroupEmailStrategy.java b/server/services/src/main/java/org/zanata/email/RequestToJoinVersionGroupEmailStrategy.java index 501d59a2542..10df3c76985 100644 --- a/server/services/src/main/java/org/zanata/email/RequestToJoinVersionGroupEmailStrategy.java +++ b/server/services/src/main/java/org/zanata/email/RequestToJoinVersionGroupEmailStrategy.java @@ -62,12 +62,13 @@ public Map makeContext(Map genericContext, InternetAddress[] toAddresses) { Map context = super.makeContext(genericContext, toAddresses); - String safeHTML = HtmlUtil.SANITIZER.sanitize(htmlMessage); + String plainText = HtmlUtil.htmlToText( + HtmlUtil.SANITIZER.sanitize(htmlMessage)); return context.put("fromLoginName", fromLoginName) .put("fromName", fromName).put("replyEmail", replyEmail) .put("groupName", groupName).put("versionGroupSlug", groupSlug) .put("projectIterationIds", projectIterationIds) - .put("htmlMessage", safeHTML); + .put("htmlMessage", plainText); } @java.beans.ConstructorProperties({ "fromLoginName", "fromName",