Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recipient Variables aren't HTML escaped. Is this expected? #308

Closed
HappyZombies opened this issue Sep 7, 2022 · 1 comment
Closed

Recipient Variables aren't HTML escaped. Is this expected? #308

HappyZombies opened this issue Sep 7, 2022 · 1 comment

Comments

@HappyZombies
Copy link
Contributor

I noticed that for recipient variables, (at least for HTML e-mails), you can send HTML tags and they will be rendered appropriately in the e-mail. I guess this kind of makes sense why it isn't escaped on this module nor mailguns end, it could be you do want HTML variables...so then it be our responsibility escaping HTML tags, right? I guess that's fine. But I think the module could benefit from some flag to automatically do this for us or something.

In a situation, if we are sending e-mails from a databases where the first name is stored, a malicious user can have their name as <a href="badwebsite.com">My Name</a> and it will be rendered as a link tag on the e-mail.

Example (this is examples/send-email.js made it simple and added an HTML tag for the recipient variable):

/* eslint-disable no-console */
const mailgun = require('mailgun.js');
const formData = require('form-data');
const MG = new mailgun(formData);

const { MAILGUN_API_KEY } = process.env;

const mg = MG.client({ username: 'api', key: MAILGUN_API_KEY, timeout: 60000 });

const domain = 'sandbox-123.mailgun.com';
const fromEmail = 'Excited User <[email protected]>';
const toEmails = ['[email protected]'];

const recipientVariables = {
    '[email protected]': {
        firstName: '<a href="badwebsite.com">My Name</a>'
    }
};

(async () => {
    try {
        const sendResult = await mg.messages.create(domain, {
            from: fromEmail,
            to: toEmails,
            subject: 'Hello',
            html: '<p style="margin: 0; font-weight: 600;">Hi %recipient.firstName%,</p><br><h3>Testing some Mailgun awesomness!</h3>',
            text: 'Testing some Mailgun awesomness!',
            "recipient-variables": JSON.stringify(recipientVariables)
        });
        console.log(sendResult);
    } catch (error) {
        console.error(error);
    }
})();

Result: "My Name" is a hyperlink

If this is something that we should be handling then so be it, but I think it should be documented somewhere. Pretty important stuff to know.
@ai-wintermute
Copy link
Collaborator

Hi @HappyZombies we're on this, here's an open issue already. You can track the process there.
I'm closing this issue as a duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HappyZombies @ai-wintermute