fix(audit-wave-1): route all email-template URLs through safeUrl
Closes Wave 1.4 (CRITICAL). Three templates still inlined URLs
directly into `href` without the existing safeUrl() helper:
- inquiry-client-confirmation: `mailto:${contactEmail}` href —
user-supplied email straight to an HTML attribute.
- inquiry-sales-notification: `${crmUrl}` from inquiry form input.
- residential-inquiry: same `mailto:${contactEmail}` pattern.
Each call now passes through `safeUrl()` from `@/lib/email/shell`,
which (a) scheme-allow-lists to http(s)/mailto/tel/root-relative and
(b) HTML-attribute-escapes the result. A stray `"` in any URL would
have escaped the attribute; a `javascript:` scheme would have
triggered XSS in webmail clients that run scripts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
import { Link, Text, render } from '@react-email/components';
|
||||
import * as React from 'react';
|
||||
|
||||
import { brandingPrimaryColor, renderShell, type BrandingShell } from '@/lib/email/shell';
|
||||
import { brandingPrimaryColor, renderShell, safeUrl, type BrandingShell } from '@/lib/email/shell';
|
||||
|
||||
export interface InquiryClientConfirmationData {
|
||||
firstName: string;
|
||||
@@ -38,7 +38,7 @@ function ClientConfirmationBody({
|
||||
<Text style={{ marginBottom: '10px', fontSize: '16px' }}>
|
||||
If you have any questions, please feel free to reach out to us at{' '}
|
||||
<Link
|
||||
href={`mailto:${contactEmail}`}
|
||||
href={safeUrl(`mailto:${contactEmail}`)}
|
||||
style={{ color: accent, textDecoration: 'underline' }}
|
||||
>
|
||||
{contactEmail}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import { Link, Text, render } from '@react-email/components';
|
||||
import * as React from 'react';
|
||||
|
||||
import { brandingPrimaryColor, renderShell, type BrandingShell } from '@/lib/email/shell';
|
||||
import { brandingPrimaryColor, renderShell, safeUrl, type BrandingShell } from '@/lib/email/shell';
|
||||
|
||||
export interface InquirySalesNotificationData {
|
||||
fullName: string;
|
||||
@@ -55,7 +55,7 @@ function SalesNotificationBody({
|
||||
</Text>
|
||||
<Text style={{ marginBottom: '10px', fontSize: '16px' }}>
|
||||
Please visit the{' '}
|
||||
<Link href={crmUrl} style={{ color: accent, textDecoration: 'underline' }}>
|
||||
<Link href={safeUrl(crmUrl)} style={{ color: accent, textDecoration: 'underline' }}>
|
||||
{portName} CRM
|
||||
</Link>{' '}
|
||||
to view more information.
|
||||
|
||||
@@ -39,7 +39,7 @@ function ClientConfirmationBody({
|
||||
<Text style={{ marginBottom: '10px', fontSize: '16px', lineHeight: '1.5' }}>
|
||||
If you have any questions in the meantime, please reach us at{' '}
|
||||
<Link
|
||||
href={`mailto:${contactEmail}`}
|
||||
href={safeUrl(`mailto:${contactEmail}`)}
|
||||
style={{ color: accent, textDecoration: 'underline' }}
|
||||
>
|
||||
{contactEmail}
|
||||
|
||||
Reference in New Issue
Block a user