dev: Add email preview tool #10381
dev: Add email preview tool #10381
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Betree
force-pushed
the
dev/email-preview
branch
2 times, most recently
from
65687f3 to
2034a3a
Compare
Betree
force-pushed
the
dev/email-preview
branch
from
2034a3a to
70c385c
Compare
|
|
||
| const renderResult = renderEmail(templateName); | ||
| const attributes = getTemplateAttributes(renderResult.html); | ||
| res.send(attributes.body); |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 10 days ago
To fix the problem, we need to ensure that any user-controlled data is properly sanitized or escaped before being included in the HTML response. This can be achieved by using a library like he (HTML entities) to escape the content before sending it in the response.
- Install the
helibrary to handle HTML escaping. - Use the
helibrary to escapeattributes.bodyanderror.messagebefore including them in the HTML response.
| @@ -10,2 +10,3 @@ | ||
| import { stripHTML } from '../../server/lib/sanitize-html'; | ||
| import he from 'he'; | ||
| import MOCKS from '../../test/mocks/data'; | ||
| @@ -184,3 +185,3 @@ | ||
| const attributes = getTemplateAttributes(renderResult.html); | ||
| res.send(attributes.body); | ||
| res.send(he.escape(attributes.body)); | ||
| } catch (error) { | ||
| @@ -195,4 +196,4 @@ | ||
| <h1>Error while rendering template</h1> | ||
| <p>${error.message}. Details:</p> | ||
| <pre style="background-color: #f8f9fa; padding: 10px; overflow: auto; max-width: 100%;">${error.stack}</pre> | ||
| <p>${he.escape(error.message)}. Details:</p> | ||
| <pre style="background-color: #f8f9fa; padding: 10px; overflow: auto; max-width: 100%;">${he.escape(error.stack)}</pre> | ||
| </body> |
| @@ -136,3 +136,4 @@ | ||
| "winston": "3.17.0", | ||
| "zod": "3.23.8" | ||
| "zod": "3.23.8", | ||
| "he": "^1.2.0" | ||
| }, |
| Package | Version | Security advisories |
| he (npm) | 1.2.0 | None |
| try { | ||
| const renderResult = renderEmail(templateName); | ||
| const attributes = getTemplateAttributes(renderResult.html); | ||
| res.send(attributes.subject); |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 10 days ago
To fix the problem, we need to ensure that any user input included in the response is properly sanitized to prevent XSS attacks. This can be achieved by using a library like escape-html to escape any potentially dangerous characters in the error message before sending it to the client.
| @@ -186,2 +186,3 @@ | ||
| } catch (error) { | ||
| const escapeHtml = require('escape-html'); | ||
| res.status(400).send(` | ||
| @@ -195,4 +196,4 @@ | ||
| <h1>Error while rendering template</h1> | ||
| <p>${error.message}. Details:</p> | ||
| <pre style="background-color: #f8f9fa; padding: 10px; overflow: auto; max-width: 100%;">${error.stack}</pre> | ||
| <p>${escapeHtml(error.message)}. Details:</p> | ||
| <pre style="background-color: #f8f9fa; padding: 10px; overflow: auto; max-width: 100%;">${escapeHtml(error.stack)}</pre> | ||
| </body> |
| @@ -136,3 +136,4 @@ | ||
| "winston": "3.17.0", | ||
| "zod": "3.23.8" | ||
| "zod": "3.23.8", | ||
| "escape-html": "^1.0.3" | ||
| }, |
| Package | Version | Security advisories |
| escape-html (npm) | 1.0.3 | None |
A minimalist tool to work on email templates styles and content. Start it with:
List emails
Preview template