Files
multica/server
Junghwan 1b30ad0ba6 fix(email): HTML-escape workspace/inviter names in invitation email (#1126)
* fix(email): HTML-escape workspace/inviter names in invitation email

SendInvitationEmail interpolated workspaceName and inviterName directly
into the HTML body via fmt.Sprintf with no escaping. A workspace owner
who sets a name like '</h2><a href="https://evil.example">Click</a>'
can break the email structure and inject attacker-controlled links that
appear as part of the official Multica invitation.

Escape both values with html.EscapeString before interpolation. The
Subject line also gets the escaped variants since some transports render
HTML-entity-like sequences.

Closes #1117

* fix(email): use raw names in Subject, keep HTML-escape for body only

Email Subject is a plain-text context — applying html.EscapeString
turns "A&B" into "A&amp;B" and "O'Brien" into "O&#39;Brien" in the
recipient's inbox. Keep the escape for the Html body where it prevents
injection, but use the original values in Subject.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: shaun0927 <shaun0927@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 12:57:16 +08:00
..