Skip to content

Add email template XSS sanitization before rendering Handlebars templates #854

Description

@RUKAYAT-CODER

Overview

src/modules/email-template.service.ts renders Handlebars templates with user-supplied data (e.g. user name, course title). If any user-controlled field contains HTML, and Handlebars triple-brace {{{}}} syntax is used (or HTML is not escaped), it can inject malicious scripts into emails rendered in webmail clients.

Specifications

Features:

  • Sanitize all user-supplied template variables before rendering.
  • Ensure Handlebars always uses double-brace (auto-escaping) syntax.

Tasks:

  • Audit all .hbs template files for triple-brace usage; replace with double-brace.
  • Add a pre-render sanitization step using sanitize-html with a restrictive allowlist.
  • Add a unit test that injects <script>alert(1)</script> into template variables and verifies it is escaped in output.

Impacted Files:

  • src/notifications/email/templates/
  • src/modules/email-template.service.ts

Acceptance Criteria

  • <script> in user-supplied variables is escaped to &lt;script&gt; in rendered output.
  • No triple-brace {{{}}}} usage remains in templates.
  • Unit test verifies escaping.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions