Overview
src/modules/email-template.service.ts renders Handlebars templates with user-supplied data (e.g. user name, course title). If any user-controlled field contains HTML, and Handlebars triple-brace {{{}}} syntax is used (or HTML is not escaped), it can inject malicious scripts into emails rendered in webmail clients.
Specifications
Features:
- Sanitize all user-supplied template variables before rendering.
- Ensure Handlebars always uses double-brace (auto-escaping) syntax.
Tasks:
- Audit all
.hbs template files for triple-brace usage; replace with double-brace.
- Add a pre-render sanitization step using
sanitize-html with a restrictive allowlist.
- Add a unit test that injects
<script>alert(1)</script> into template variables and verifies it is escaped in output.
Impacted Files:
src/notifications/email/templates/
src/modules/email-template.service.ts
Acceptance Criteria
<script> in user-supplied variables is escaped to <script> in rendered output.
- No triple-brace
{{{}}}} usage remains in templates.
- Unit test verifies escaping.
Overview
src/modules/email-template.service.tsrenders Handlebars templates with user-supplied data (e.g. user name, course title). If any user-controlled field contains HTML, and Handlebars triple-brace{{{}}}syntax is used (or HTML is not escaped), it can inject malicious scripts into emails rendered in webmail clients.Specifications
Features:
Tasks:
.hbstemplate files for triple-brace usage; replace with double-brace.sanitize-htmlwith a restrictive allowlist.<script>alert(1)</script>into template variables and verifies it is escaped in output.Impacted Files:
src/notifications/email/templates/src/modules/email-template.service.tsAcceptance Criteria
<script>in user-supplied variables is escaped to<script>in rendered output.{{{}}}}usage remains in templates.