From 8221dd39cfb62203d888981ac40dbcd6c69fab81 Mon Sep 17 00:00:00 2001
From: Artur Plysyuk <ifuelen@gmail.com>
Date: Tue, 1 Sep 2020 00:04:31 +0300
Subject: [PATCH] Fix XSS in email viewer

---
 lib/bamboo/plug/sent_email_viewer/index.html.eex | 12 ++++++++----
 lib/mix/start_sent_email_viewer_task.ex          |  4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/lib/bamboo/plug/sent_email_viewer/index.html.eex b/lib/bamboo/plug/sent_email_viewer/index.html.eex
index 9d765833..5ec51434 100644
--- a/lib/bamboo/plug/sent_email_viewer/index.html.eex
+++ b/lib/bamboo/plug/sent_email_viewer/index.html.eex
@@ -145,18 +145,22 @@
           <a
             class="email-summary <%= Bamboo.SentEmailViewerPlug.Helper.selected_email_class(email, @selected_email) %>"
             href="<%= "#{@base_path}/#{Bamboo.SentEmail.get_id(email)}" %>">
-            <span class="email-summary-subject truncate"><%= email.subject %></span>
+            <span class="email-summary-subject truncate" title="<%= Plug.HTML.html_escape(email.subject) %>">
+              <%= Plug.HTML.html_escape(email.subject) %>
+            </span>
             <span class="email-summary-recipients truncate">
               <%= Bamboo.SentEmailViewerPlug.Helper.format_email_address(email.from) %>
               to <%= Bamboo.SentEmailViewerPlug.Helper.email_addresses(email) %>
             </span>
-            <span class="email-summary-body-excerpt"><%= email.text_body %></span>
+            <span class="email-summary-body-excerpt">
+              <%= Plug.HTML.html_escape(email.text_body) %>
+            </span>
           </a>
         <% end %>
       </aside>
       <section class="email-detail-pane">
         <section class="email-detail-hero">
-          <span class="email-detail-subject"><%= @selected_email.subject %></span>
+          <span class="email-detail-subject"><%= Plug.HTML.html_escape(@selected_email.subject) %></span>
           <span class="email-detail-recipients">
             From <strong><%= Bamboo.SentEmailViewerPlug.Helper.format_email_address(@selected_email.from) %></strong>
             to <strong><%= Bamboo.SentEmailViewerPlug.Helper.email_addresses(@selected_email) %></strong>
@@ -183,7 +187,7 @@
           </p>
 
           <h3 class="email-detail-body-label">Text Body</h3>
-          <pre class="email-detail-body"><%= @selected_email.text_body %></pre>
+          <pre class="email-detail-body"><%= Plug.HTML.html_escape(@selected_email.text_body) %></pre>
         </section>
       </section>
     </main>
diff --git a/lib/mix/start_sent_email_viewer_task.ex b/lib/mix/start_sent_email_viewer_task.ex
index 7f332876..0ccf7bb4 100644
--- a/lib/mix/start_sent_email_viewer_task.ex
+++ b/lib/mix/start_sent_email_viewer_task.ex
@@ -15,7 +15,7 @@ defmodule Mix.Tasks.Bamboo.StartSentEmailViewer do
       Bamboo.Email.new_email(
         from: "me@gmail.com",
         to: "someone@foo.com",
-        subject: "#{index} - This is a long subject for testing truncation",
+        subject: "#{index} - <em>This</em> is a long subject for testing truncation",
         html_body: """
         Check different tag <strong>styling</strong>
 
@@ -32,7 +32,7 @@ defmodule Mix.Tasks.Bamboo.StartSentEmailViewer do
         long to see how it expands on to the next line
 
         Sincerely,
-        Me
+        Me and <em>html tag</em>
         """
       )
       |> Bamboo.Mailer.normalize_addresses()