mirror of
https://github.com/multica-ai/multica.git
synced 2026-06-17 03:38:32 +02:00
a71aa6c544
Follow-up to #1126 (which closed the HTML-injection vector in the Body). The Subject line is not HTML-rendered, so html.EscapeString would leak literal entities into recipient inboxes. Instead: - Strip control characters from workspace/inviter names (defense in depth even though Resend also filters CR/LF). - Cap each field at 60 runes so an attacker can't stuff a full phishing pitch into a workspace name that gets sent from noreply@multica.ai. Also extracts buildInvitationParams to make the sanitization logic testable without mocking the Resend SDK, and adds a test covering: - HTML escape behavior for script/attribute/anchor injection payloads - Subject stripping of \r\n\t and other unicode controls - Subject NOT being HTML-escaped (so "Acme & Co." stays literal) - Subject length bounds - Benign inputs pass through unchanged Adds a note on SendVerificationCode that its body uses only server-generated content, to prevent the same pitfall from creeping in. Refs #1117