xss validation

This commit is contained in:
Mazyar
2025-12-07 23:52:17 +03:30
parent b8a10f355e
commit 7fb182f180
10 changed files with 372 additions and 29 deletions
+17 -7
View File
@@ -2,8 +2,11 @@ package inquiry
import (
"fmt"
"html"
"strings"
"time"
"tm/pkg/security"
)
// EmailTemplateData represents the data needed for the email template
@@ -20,7 +23,14 @@ type EmailTemplateData struct {
}
// GenerateNewInquiryEmailTemplate generates a beautiful HTML email template for new inquiry notifications
func GenerateNewInquiryEmailTemplate(data *EmailTemplateData) string {
func GenerateNewInquiryEmailTemplate(data *EmailTemplateData, xssPolicy *security.XSSPolicy) string {
// Sanitize all user inputs before inserting into HTML
safeFullName := html.EscapeString(data.FullName)
safeCompanyName := html.EscapeString(data.CompanyName)
safeWorkEmail := html.EscapeString(data.WorkEmail)
safePhoneNumber := html.EscapeString(data.PhoneNumber)
safeInquiryID := html.EscapeString(data.InquiryID)
// Format the creation date
createdAt := time.Unix(data.CreatedAt, 0).Format("January 2, 2006 at 3:04 PM")
@@ -249,12 +259,12 @@ func GenerateNewInquiryEmailTemplate(data *EmailTemplateData) string {
</body>
</html>`
// Replace placeholders with actual data
html = strings.ReplaceAll(html, "{{COMPANY_NAME}}", data.CompanyName)
html = strings.ReplaceAll(html, "{{INQUIRY_ID}}", data.InquiryID)
html = strings.ReplaceAll(html, "{{FULL_NAME}}", data.FullName)
html = strings.ReplaceAll(html, "{{WORK_EMAIL}}", data.WorkEmail)
html = strings.ReplaceAll(html, "{{PHONE_NUMBER}}", data.PhoneNumber)
// Replace placeholders with sanitized data
html = strings.ReplaceAll(html, "{{COMPANY_NAME}}", safeCompanyName)
html = strings.ReplaceAll(html, "{{INQUIRY_ID}}", safeInquiryID)
html = strings.ReplaceAll(html, "{{FULL_NAME}}", safeFullName)
html = strings.ReplaceAll(html, "{{WORK_EMAIL}}", safeWorkEmail)
html = strings.ReplaceAll(html, "{{PHONE_NUMBER}}", safePhoneNumber)
html = strings.ReplaceAll(html, "{{CREATED_AT}}", createdAt)
return html