🐛 (sendEmail) Escape html from variables in custom body

Closes #439
2023-04-17 15:54:52 +02:00
parent 928afd5a6c
commit f7d94de66e
2 changed files with 5 additions and 1 deletions
--- a/apps/viewer/src/features/blocks/integrations/sendEmail/executeSendEmailBlock.tsx
+++ b/apps/viewer/src/features/blocks/integrations/sendEmail/executeSendEmailBlock.tsx
@ -46,7 +46,7 @@ export const executeSendEmailBlock = async (
      credentialsId: options.credentialsId,
      recipients: options.recipients.map(parseVariables(variables)),
      subject: parseVariables(variables)(options.subject ?? ''),
-      body: parseVariables(variables)(options.body ?? ''),
+      body: parseVariables(variables, { escapeHtml: true })(options.body ?? ''),
      cc: (options.cc ?? []).map(parseVariables(variables)),
      bcc: (options.bcc ?? []).map(parseVariables(variables)),
      replyTo: options.replyTo
--- a/apps/viewer/src/features/variables/parseVariables.ts
+++ b/apps/viewer/src/features/variables/parseVariables.ts
@ -6,12 +6,14 @@ export type ParseVariablesOptions = {
  fieldToParse?: 'value' | 'id'
  escapeForJson?: boolean
  takeLatestIfList?: boolean
+  escapeHtml?: boolean
 }

 export const defaultParseVariablesOptions: ParseVariablesOptions = {
  fieldToParse: 'value',
  escapeForJson: false,
  takeLatestIfList: false,
+  escapeHtml: false,
 }

 export const parseVariables =
@ -50,6 +52,8 @@ export const parseVariables =
              : value
          )
        if (!parsedValue) return dollarSign + ''
+        if (options.escapeHtml)
+          return parsedValue.replace(/</g, '&lt;').replace(/>/g, '&gt;')
        return parsedValue
      }
    )