sanitize user provided string for emails

2024-11-22 12:15:36 +01:00 · 2017-09-27 12:45:57 -04:00 · 2017-09-27 12:45:57 -04:00 · 184fe0cd64
commit 184fe0cd64
parent ef354e7083
2 changed files with 12 additions and 4 deletions
--- a/src/Core/Services/Implementations/RazorMailService.cs
+++ b/src/Core/Services/Implementations/RazorMailService.cs
@ -7,6 +7,7 @@ using Bit.Core.Models.Mail;
 using RazorLight.Templating;
 using System.IO;
 using System.Net;
+using Bit.Core.Utilities;

 namespace Bit.Core.Services
 {
@ -118,7 +119,7 @@ namespace Bit.Core.Services
            var message = CreateDefaultMessage("Your Master Password Hint", email);
            var model = new MasterPasswordHintViewModel
            {
-                Hint = hint,
+                Hint = CoreHelpers.SanitizeForEmail(hint),
                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
                SiteName = _globalSettings.SiteName
            };
@ -146,7 +147,7 @@ namespace Bit.Core.Services
            var message = CreateDefaultMessage($"User {userEmail} Has Accepted Invite", adminEmails);
            var model = new OrganizationUserAcceptedViewModel
            {
-                OrganizationName = organizationName,
+                OrganizationName = CoreHelpers.SanitizeForEmail(organizationName),
                UserEmail = userEmail,
                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
                SiteName = _globalSettings.SiteName
@ -161,7 +162,7 @@ namespace Bit.Core.Services
            var message = CreateDefaultMessage($"You Have Been Confirmed To {organizationName}", email);
            var model = new OrganizationUserConfirmedViewModel
            {
-                OrganizationName = organizationName,
+                OrganizationName = CoreHelpers.SanitizeForEmail(organizationName),
                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
                SiteName = _globalSettings.SiteName
            };
@ -175,7 +176,7 @@ namespace Bit.Core.Services
            var message = CreateDefaultMessage($"Join {organizationName}", orgUser.Email);
            var model = new OrganizationUserInvitedViewModel
            {
-                OrganizationName = organizationName,
+                OrganizationName = CoreHelpers.SanitizeForEmail(organizationName),
                Email = WebUtility.UrlEncode(orgUser.Email),
                OrganizationId = orgUser.OrganizationId.ToString(),
                OrganizationUserId = orgUser.Id.ToString(),
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -411,5 +411,12 @@ namespace Bit.Core.Utilities
            }
            return sb.ToString();
        }
+
+        public static string SanitizeForEmail(string value)
+        {
+            return value.Replace("@", "[at]")
+                .Replace("http://", string.Empty)
+                .Replace("https://", string.Empty);
+        }
    }
 }