mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 13:29:44 +02:00
* fix(email): HTML-escape workspace/inviter names in invitation email SendInvitationEmail interpolated workspaceName and inviterName directly into the HTML body via fmt.Sprintf with no escaping. A workspace owner who sets a name like '</h2><a href="https://evil.example">Click</a>' can break the email structure and inject attacker-controlled links that appear as part of the official Multica invitation. Escape both values with html.EscapeString before interpolation. The Subject line also gets the escaped variants since some transports render HTML-entity-like sequences. Closes #1117 * fix(email): use raw names in Subject, keep HTML-escape for body only Email Subject is a plain-text context — applying html.EscapeString turns "A&B" into "A&B" and "O'Brien" into "O'Brien" in the recipient's inbox. Keep the escape for the Html body where it prevents injection, but use the original values in Subject. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: shaun0927 <shaun0927@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>