-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0.27.0 #860
0.27.0 #860
Conversation
…ns updateRole and deleteMember
…isible to finance members
☁️ Nx Cloud ReportCI is running/has finished running commands for commit 618ae64. As they complete they will appear below. Click to see the status, the terminal output, and the build insights. 📂 See all runs for this CI Pipeline Execution ✅ Successfully ran 1 targetSent with 💌 from NxCloud. |
libs/dal/src/repositories/environment/environment.repository.ts
Dismissed
Show dismissed
Hide dismissed
<body> | ||
<div class="container"> | ||
<div class="header"> | ||
<h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
<body> | ||
<div class="container"> | ||
<div class="header"> | ||
<h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
|
||
<div class="content"> | ||
<p>Hello</p> | ||
<p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
<p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p> | ||
|
||
<div class="button-container"> | ||
<a href="${invitationUrl}" class="button">Accept Invitation</a> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that the invitationUrl
is properly sanitized before being used in the HTML template. This can be achieved by using a library like DOMPurify
to sanitize the URL. This will prevent any potential HTML injection attacks.
- Install the
DOMPurify
library. - Import
DOMPurify
in the file. - Use
DOMPurify
to sanitize theinvitationUrl
before interpolating it into the HTML.
-
Copy modified line R3 -
Copy modified lines R421-R497
@@ -2,2 +2,3 @@ | ||
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses'; | ||
import DOMPurify from 'dompurify'; | ||
|
||
@@ -419,76 +420,79 @@ | ||
|
||
TEAM_INVITATION_EMAIL: ({ invitedBy, projectName, invitationUrl }: ITeamnvitationEmailOptions) => ` | ||
<!DOCTYPE html> | ||
<html lang="en"> | ||
<head> | ||
<meta charset="UTF-8"> | ||
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | ||
<style> | ||
body { | ||
font-family: Arial, sans-serif; | ||
background-color: #f5f5f5; | ||
margin: 0; | ||
padding: 20px; | ||
} | ||
.container { | ||
max-width: 600px; | ||
margin: 0 auto; | ||
background-color: white; | ||
padding: 30px; | ||
border-radius: 8px; | ||
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1); | ||
} | ||
.header { | ||
text-align: center; | ||
margin-bottom: 20px; | ||
} | ||
.header h1 { | ||
font-size: 24px; | ||
color: #333; | ||
} | ||
.content { | ||
color: #555; | ||
line-height: 1.6; | ||
} | ||
.button-container { | ||
text-align: center; | ||
margin-top: 20px; | ||
} | ||
.button { | ||
background-color: #4caf50; | ||
color: white; | ||
padding: 10px 20px; | ||
text-decoration: none; | ||
border-radius: 5px; | ||
font-size: 16px; | ||
} | ||
.footer { | ||
margin-top: 20px; | ||
text-align: center; | ||
color: #777; | ||
} | ||
.centered-text { | ||
text-align: center; | ||
} | ||
</style> | ||
</head> | ||
<body> | ||
<div class="container"> | ||
<div class="header"> | ||
<h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1> | ||
</div> | ||
|
||
<div class="content"> | ||
<p>Hello</p> | ||
<p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p> | ||
|
||
<div class="button-container"> | ||
<a href="${invitationUrl}" class="button">Accept Invitation</a> | ||
</div> | ||
|
||
</div> | ||
<p class="centered-text">If you don't know about this request, please ignore this email.</p> | ||
</div> | ||
</body> | ||
</html>`, | ||
TEAM_INVITATION_EMAIL: ({ invitedBy, projectName, invitationUrl }: ITeamnvitationEmailOptions) => { | ||
const sanitizedInvitationUrl = DOMPurify.sanitize(invitationUrl); | ||
return ` | ||
<!DOCTYPE html> | ||
<html lang="en"> | ||
<head> | ||
<meta charset="UTF-8"> | ||
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | ||
<style> | ||
body { | ||
font-family: Arial, sans-serif; | ||
background-color: #f5f5f5; | ||
margin: 0; | ||
padding: 20px; | ||
} | ||
.container { | ||
max-width: 600px; | ||
margin: 0 auto; | ||
background-color: white; | ||
padding: 30px; | ||
border-radius: 8px; | ||
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1); | ||
} | ||
.header { | ||
text-align: center; | ||
margin-bottom: 20px; | ||
} | ||
.header h1 { | ||
font-size: 24px; | ||
color: #333; | ||
} | ||
.content { | ||
color: #555; | ||
line-height: 1.6; | ||
} | ||
.button-container { | ||
text-align: center; | ||
margin-top: 20px; | ||
} | ||
.button { | ||
background-color: #4caf50; | ||
color: white; | ||
padding: 10px 20px; | ||
text-decoration: none; | ||
border-radius: 5px; | ||
font-size: 16px; | ||
} | ||
.footer { | ||
margin-top: 20px; | ||
text-align: center; | ||
color: #777; | ||
} | ||
.centered-text { | ||
text-align: center; | ||
} | ||
</style> | ||
</head> | ||
<body> | ||
<div class="container"> | ||
<div class="header"> | ||
<h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1> | ||
</div> | ||
|
||
<div class="content"> | ||
<p>Hello</p> | ||
<p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p> | ||
|
||
<div class="button-container"> | ||
<a href="${sanitizedInvitationUrl}" class="button">Accept Invitation</a> | ||
</div> | ||
|
||
</div> | ||
<p class="centered-text">If you don't know about this request, please ignore this email.</p> | ||
</div> | ||
</body> | ||
</html>`; | ||
}, | ||
|
-
Copy modified lines R10-R20 -
Copy modified lines R45-R46 -
Copy modified lines R49-R51 -
Copy modified lines R55-R57
@@ -9,4 +9,13 @@ | ||
"main": "dist/index.js", | ||
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"], | ||
"files": ["dist", "package.json"], | ||
"keywords": [ | ||
"impler", | ||
"implerhq", | ||
"data-import", | ||
"excel-import", | ||
"csv-import" | ||
], | ||
"files": [ | ||
"dist", | ||
"package.json" | ||
], | ||
"scripts": { | ||
@@ -35,6 +44,9 @@ | ||
"nodemailer": "^6.9.14", | ||
"uuid": "^9.0.0" | ||
"uuid": "^9.0.0", | ||
"dompurify": "^3.1.7" | ||
}, | ||
"lint-staged": { | ||
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"], | ||
"*.{js,jsx,ts,tsx}": [ | ||
"prettier --ignore-path .eslintignore --write" | ||
], | ||
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [ | ||
@@ -42,3 +54,5 @@ | ||
], | ||
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"] | ||
"*.{html,md,yml}": [ | ||
"prettier --ignore-path .eslintignore --single-quote --write" | ||
] | ||
} |
Package | Version | Security advisories |
dompurify (npm) | 3.1.7 | None |
<body> | ||
<div class="container"> | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that any dynamic content inserted into the HTML is properly sanitized to prevent XSS attacks. The best way to fix this issue without changing existing functionality is to use an HTML sanitizer library to clean the input before inserting it into the HTML. This will ensure that any potentially malicious content is removed.
We will:
- Import an HTML sanitizer library.
- Sanitize the
projectName
,invitedBy
, anddeclinedBy
variables before inserting them into the HTML.
-
Copy modified line R2 -
Copy modified lines R631-R635 -
Copy modified lines R684-R685 -
Copy modified lines R687-R689 -
Copy modified lines R697-R698
@@ -1,2 +1,3 @@ | ||
import * as nodemailer from 'nodemailer'; | ||
import sanitizeHtml from 'sanitize-html'; | ||
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses'; | ||
@@ -629,3 +630,7 @@ | ||
</html>`, | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => ` | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => { | ||
const sanitizedProjectName = sanitizeHtml(projectName); | ||
const sanitizedInvitedBy = sanitizeHtml(invitedBy); | ||
const sanitizedDeclinedBy = sanitizeHtml(declinedBy); | ||
return ` | ||
<!DOCTYPE html> | ||
@@ -678,8 +683,8 @@ | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1> | ||
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> | ||
<li><strong>Declined By:</strong> ${declinedBy}</li> | ||
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li> | ||
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li> | ||
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li> | ||
</ul> | ||
@@ -691,3 +696,4 @@ | ||
</body> | ||
</html>`, | ||
</html>`; | ||
}, | ||
}; |
-
Copy modified lines R10-R20 -
Copy modified lines R45-R46 -
Copy modified lines R49-R51 -
Copy modified lines R55-R57
@@ -9,4 +9,13 @@ | ||
"main": "dist/index.js", | ||
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"], | ||
"files": ["dist", "package.json"], | ||
"keywords": [ | ||
"impler", | ||
"implerhq", | ||
"data-import", | ||
"excel-import", | ||
"csv-import" | ||
], | ||
"files": [ | ||
"dist", | ||
"package.json" | ||
], | ||
"scripts": { | ||
@@ -35,6 +44,9 @@ | ||
"nodemailer": "^6.9.14", | ||
"uuid": "^9.0.0" | ||
"uuid": "^9.0.0", | ||
"sanitize-html": "^2.13.1" | ||
}, | ||
"lint-staged": { | ||
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"], | ||
"*.{js,jsx,ts,tsx}": [ | ||
"prettier --ignore-path .eslintignore --write" | ||
], | ||
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [ | ||
@@ -42,3 +54,5 @@ | ||
], | ||
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"] | ||
"*.{html,md,yml}": [ | ||
"prettier --ignore-path .eslintignore --single-quote --write" | ||
] | ||
} |
Package | Version | Security advisories |
sanitize-html (npm) | 2.13.1 | None |
<div class="container"> | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that any user-supplied input is properly sanitized before being inserted into the HTML content. This can be achieved by using an HTML sanitizer library to remove any potentially harmful content from the input.
The best way to fix this issue without changing the existing functionality is to use a library like striptags
to sanitize the declinedBy
, projectName
, and invitedBy
variables before inserting them into the HTML content. This will ensure that any HTML tags or scripts are removed from the input, preventing XSS attacks.
-
Copy modified line R2 -
Copy modified lines R631-R635 -
Copy modified lines R684-R685 -
Copy modified lines R687-R689 -
Copy modified lines R697-R698
@@ -1,2 +1,3 @@ | ||
import * as nodemailer from 'nodemailer'; | ||
import * as striptags from 'striptags'; | ||
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses'; | ||
@@ -629,3 +630,7 @@ | ||
</html>`, | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => ` | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => { | ||
const sanitizedInvitedBy = striptags(invitedBy); | ||
const sanitizedProjectName = striptags(projectName); | ||
const sanitizedDeclinedBy = striptags(declinedBy); | ||
return ` | ||
<!DOCTYPE html> | ||
@@ -678,8 +683,8 @@ | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1> | ||
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> | ||
<li><strong>Declined By:</strong> ${declinedBy}</li> | ||
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li> | ||
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li> | ||
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li> | ||
</ul> | ||
@@ -691,3 +696,4 @@ | ||
</body> | ||
</html>`, | ||
</html>`; | ||
}, | ||
}; |
-
Copy modified lines R10-R20 -
Copy modified lines R45-R46 -
Copy modified lines R49-R51 -
Copy modified lines R55-R57
@@ -9,4 +9,13 @@ | ||
"main": "dist/index.js", | ||
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"], | ||
"files": ["dist", "package.json"], | ||
"keywords": [ | ||
"impler", | ||
"implerhq", | ||
"data-import", | ||
"excel-import", | ||
"csv-import" | ||
], | ||
"files": [ | ||
"dist", | ||
"package.json" | ||
], | ||
"scripts": { | ||
@@ -35,6 +44,9 @@ | ||
"nodemailer": "^6.9.14", | ||
"uuid": "^9.0.0" | ||
"uuid": "^9.0.0", | ||
"striptags": "^3.2.0" | ||
}, | ||
"lint-staged": { | ||
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"], | ||
"*.{js,jsx,ts,tsx}": [ | ||
"prettier --ignore-path .eslintignore --write" | ||
], | ||
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [ | ||
@@ -42,3 +54,5 @@ | ||
], | ||
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"] | ||
"*.{html,md,yml}": [ | ||
"prettier --ignore-path .eslintignore --single-quote --write" | ||
] | ||
} |
Package | Version | Security advisories |
striptags (npm) | 3.2.0 | None |
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that any dynamic content inserted into the HTML is properly sanitized to prevent XSS attacks. The best way to fix this issue is to use an HTML sanitizer library to clean the input before inserting it into the HTML. This approach maintains the existing functionality while ensuring the content is safe.
- Install an HTML sanitizer library such as
dompurify
. - Import the sanitizer library in the file.
- Use the sanitizer to clean the dynamic content before inserting it into the HTML.
-
Copy modified line R3 -
Copy modified lines R680-R681 -
Copy modified lines R683-R685
@@ -2,2 +2,3 @@ | ||
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses'; | ||
import DOMPurify from 'dompurify'; | ||
|
||
@@ -678,8 +679,8 @@ | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<h1>Project Invitation Declined: ${DOMPurify.sanitize(projectName)}</h1> | ||
<p>${DOMPurify.sanitize(declinedBy)} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> | ||
<li><strong>Declined By:</strong> ${declinedBy}</li> | ||
<li><strong>Project Name:</strong> ${DOMPurify.sanitize(projectName)}</li> | ||
<li><strong>Invited By:</strong> ${DOMPurify.sanitize(invitedBy)}</li> | ||
<li><strong>Declined By:</strong> ${DOMPurify.sanitize(declinedBy)}</li> | ||
</ul> |
-
Copy modified lines R10-R20 -
Copy modified lines R45-R46 -
Copy modified lines R49-R51 -
Copy modified lines R55-R57
@@ -9,4 +9,13 @@ | ||
"main": "dist/index.js", | ||
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"], | ||
"files": ["dist", "package.json"], | ||
"keywords": [ | ||
"impler", | ||
"implerhq", | ||
"data-import", | ||
"excel-import", | ||
"csv-import" | ||
], | ||
"files": [ | ||
"dist", | ||
"package.json" | ||
], | ||
"scripts": { | ||
@@ -35,6 +44,9 @@ | ||
"nodemailer": "^6.9.14", | ||
"uuid": "^9.0.0" | ||
"uuid": "^9.0.0", | ||
"dompurify": "^3.1.7" | ||
}, | ||
"lint-staged": { | ||
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"], | ||
"*.{js,jsx,ts,tsx}": [ | ||
"prettier --ignore-path .eslintignore --write" | ||
], | ||
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [ | ||
@@ -42,3 +54,5 @@ | ||
], | ||
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"] | ||
"*.{html,md,yml}": [ | ||
"prettier --ignore-path .eslintignore --single-quote --write" | ||
] | ||
} |
Package | Version | Security advisories |
dompurify (npm) | 3.1.7 | None |
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that any dynamic content interpolated into the HTML is properly sanitized or escaped to prevent XSS attacks. The best way to fix this without changing the existing functionality is to use a library like striptags
to sanitize the input before including it in the HTML content.
- Install the
striptags
library to sanitize the input. - Modify the code to sanitize the
invitedBy
,projectName
, anddeclinedBy
variables before they are interpolated into the HTML content.
-
Copy modified line R2 -
Copy modified lines R631-R635 -
Copy modified lines R684-R685 -
Copy modified lines R687-R689 -
Copy modified lines R697-R698
@@ -1,2 +1,3 @@ | ||
import * as nodemailer from 'nodemailer'; | ||
import * as striptags from 'striptags'; | ||
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses'; | ||
@@ -629,3 +630,7 @@ | ||
</html>`, | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => ` | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => { | ||
const sanitizedInvitedBy = striptags(invitedBy); | ||
const sanitizedProjectName = striptags(projectName); | ||
const sanitizedDeclinedBy = striptags(declinedBy); | ||
return ` | ||
<!DOCTYPE html> | ||
@@ -678,8 +683,8 @@ | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1> | ||
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> | ||
<li><strong>Declined By:</strong> ${declinedBy}</li> | ||
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li> | ||
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li> | ||
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li> | ||
</ul> | ||
@@ -691,3 +696,4 @@ | ||
</body> | ||
</html>`, | ||
</html>`; | ||
}, | ||
}; |
-
Copy modified lines R10-R20 -
Copy modified lines R45-R46 -
Copy modified lines R49-R51 -
Copy modified lines R55-R57
@@ -9,4 +9,13 @@ | ||
"main": "dist/index.js", | ||
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"], | ||
"files": ["dist", "package.json"], | ||
"keywords": [ | ||
"impler", | ||
"implerhq", | ||
"data-import", | ||
"excel-import", | ||
"csv-import" | ||
], | ||
"files": [ | ||
"dist", | ||
"package.json" | ||
], | ||
"scripts": { | ||
@@ -35,6 +44,9 @@ | ||
"nodemailer": "^6.9.14", | ||
"uuid": "^9.0.0" | ||
"uuid": "^9.0.0", | ||
"striptags": "^3.2.0" | ||
}, | ||
"lint-staged": { | ||
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"], | ||
"*.{js,jsx,ts,tsx}": [ | ||
"prettier --ignore-path .eslintignore --write" | ||
], | ||
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [ | ||
@@ -42,3 +54,5 @@ | ||
], | ||
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"] | ||
"*.{html,md,yml}": [ | ||
"prettier --ignore-path .eslintignore --single-quote --write" | ||
] | ||
} |
Package | Version | Security advisories |
striptags (npm) | 3.2.0 | None |
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> | ||
<li><strong>Declined By:</strong> ${declinedBy}</li> |
Check warning
Code scanning / CodeQL
Unsafe HTML constructed from library input Medium
library input
html injection
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that any user-supplied input is properly sanitized before being included in the HTML content. This can be achieved by using an HTML sanitizer library to strip out any potentially harmful content from the input.
The best way to fix this issue without changing existing functionality is to use a library like striptags
to sanitize the declinedBy
, projectName
, and invitedBy
variables before they are interpolated into the HTML content. This ensures that any malicious scripts are removed from the input.
-
Copy modified line R2 -
Copy modified lines R631-R635 -
Copy modified lines R684-R685 -
Copy modified lines R687-R689 -
Copy modified lines R697-R698
@@ -1,2 +1,3 @@ | ||
import * as nodemailer from 'nodemailer'; | ||
import * as striptags from 'striptags'; | ||
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses'; | ||
@@ -629,3 +630,7 @@ | ||
</html>`, | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => ` | ||
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => { | ||
const sanitizedInvitedBy = striptags(invitedBy); | ||
const sanitizedProjectName = striptags(projectName); | ||
const sanitizedDeclinedBy = striptags(declinedBy); | ||
return ` | ||
<!DOCTYPE html> | ||
@@ -678,8 +683,8 @@ | ||
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div> | ||
<h1>Project Invitation Declined: ${projectName}</h1> | ||
<p>${declinedBy} has declined the invitation to join the project.</p> | ||
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1> | ||
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p> | ||
<ul> | ||
<li><strong>Project Name:</strong> ${projectName}</li> | ||
<li><strong>Invited By:</strong> ${invitedBy}</li> | ||
<li><strong>Declined By:</strong> ${declinedBy}</li> | ||
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li> | ||
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li> | ||
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li> | ||
</ul> | ||
@@ -691,3 +696,4 @@ | ||
</body> | ||
</html>`, | ||
</html>`; | ||
}, | ||
}; |
-
Copy modified lines R10-R20 -
Copy modified lines R45-R46 -
Copy modified lines R49-R51 -
Copy modified lines R55-R57
@@ -9,4 +9,13 @@ | ||
"main": "dist/index.js", | ||
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"], | ||
"files": ["dist", "package.json"], | ||
"keywords": [ | ||
"impler", | ||
"implerhq", | ||
"data-import", | ||
"excel-import", | ||
"csv-import" | ||
], | ||
"files": [ | ||
"dist", | ||
"package.json" | ||
], | ||
"scripts": { | ||
@@ -35,6 +44,9 @@ | ||
"nodemailer": "^6.9.14", | ||
"uuid": "^9.0.0" | ||
"uuid": "^9.0.0", | ||
"striptags": "^3.2.0" | ||
}, | ||
"lint-staged": { | ||
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"], | ||
"*.{js,jsx,ts,tsx}": [ | ||
"prettier --ignore-path .eslintignore --write" | ||
], | ||
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [ | ||
@@ -42,3 +54,5 @@ | ||
], | ||
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"] | ||
"*.{html,md,yml}": [ | ||
"prettier --ignore-path .eslintignore --single-quote --write" | ||
] | ||
} |
Package | Version | Security advisories |
striptags (npm) | 3.2.0 | None |
No description provided.