xss validation
This commit is contained in:
@@ -2,8 +2,11 @@ package inquiry
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"html"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"tm/pkg/security"
|
||||
)
|
||||
|
||||
// EmailTemplateData represents the data needed for the email template
|
||||
@@ -20,7 +23,14 @@ type EmailTemplateData struct {
|
||||
}
|
||||
|
||||
// GenerateNewInquiryEmailTemplate generates a beautiful HTML email template for new inquiry notifications
|
||||
func GenerateNewInquiryEmailTemplate(data *EmailTemplateData) string {
|
||||
func GenerateNewInquiryEmailTemplate(data *EmailTemplateData, xssPolicy *security.XSSPolicy) string {
|
||||
// Sanitize all user inputs before inserting into HTML
|
||||
safeFullName := html.EscapeString(data.FullName)
|
||||
safeCompanyName := html.EscapeString(data.CompanyName)
|
||||
safeWorkEmail := html.EscapeString(data.WorkEmail)
|
||||
safePhoneNumber := html.EscapeString(data.PhoneNumber)
|
||||
safeInquiryID := html.EscapeString(data.InquiryID)
|
||||
|
||||
// Format the creation date
|
||||
createdAt := time.Unix(data.CreatedAt, 0).Format("January 2, 2006 at 3:04 PM")
|
||||
|
||||
@@ -249,12 +259,12 @@ func GenerateNewInquiryEmailTemplate(data *EmailTemplateData) string {
|
||||
</body>
|
||||
</html>`
|
||||
|
||||
// Replace placeholders with actual data
|
||||
html = strings.ReplaceAll(html, "{{COMPANY_NAME}}", data.CompanyName)
|
||||
html = strings.ReplaceAll(html, "{{INQUIRY_ID}}", data.InquiryID)
|
||||
html = strings.ReplaceAll(html, "{{FULL_NAME}}", data.FullName)
|
||||
html = strings.ReplaceAll(html, "{{WORK_EMAIL}}", data.WorkEmail)
|
||||
html = strings.ReplaceAll(html, "{{PHONE_NUMBER}}", data.PhoneNumber)
|
||||
// Replace placeholders with sanitized data
|
||||
html = strings.ReplaceAll(html, "{{COMPANY_NAME}}", safeCompanyName)
|
||||
html = strings.ReplaceAll(html, "{{INQUIRY_ID}}", safeInquiryID)
|
||||
html = strings.ReplaceAll(html, "{{FULL_NAME}}", safeFullName)
|
||||
html = strings.ReplaceAll(html, "{{WORK_EMAIL}}", safeWorkEmail)
|
||||
html = strings.ReplaceAll(html, "{{PHONE_NUMBER}}", safePhoneNumber)
|
||||
html = strings.ReplaceAll(html, "{{CREATED_AT}}", createdAt)
|
||||
|
||||
return html
|
||||
|
||||
Reference in New Issue
Block a user