HTML encode sanitized inputs for email templates (#1138)

2025-02-01 23:31:41 +01:00 · 2021-02-11 14:39:13 -05:00 · 2021-02-11 14:39:13 -05:00 · 7c9ea83ad2
commit 7c9ea83ad2
parent 6cc317c4ba
1 changed files with 3 additions and 2 deletions
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@ -503,9 +503,10 @@ namespace Bit.Core.Utilities

        public static string SanitizeForEmail(string value)
        {
-            return value.Replace("@", "[at]")
+            var cleanedValue = value.Replace("@", "[at]")
                .Replace("http://", string.Empty)
                .Replace("https://", string.Empty);
+            return HttpUtility.HtmlEncode(cleanedValue);
        }

        public static string DateTimeToTableStorageKey(DateTime? date = null)
@ -558,7 +559,7 @@ namespace Bit.Core.Utilities
        {
            return TokenIsValid("OrganizationUserInvite", protector, token, userEmail, orgUserId, globalSettings);
        }
-        
+
        public static bool TokenIsValid(string firstTokenPart, IDataProtector protector, string token, string userEmail,
            Guid id, GlobalSettings globalSettings)
        {