Skip to content

[BUG] : Workspace name / personal message are not HTML-escaped in invite emails (HTML injection) #784

Description

@ishitaajain22-tech

Description of the Bug

send_workspace_invite_email interpolates workspace_name and personal_message directly into html_body via f-strings with no escaping (e.g. <strong>'{workspace_name}'</strong> and the personal_block paragraph). Since workspace_name is user-supplied (workspace creation) and personal_message is attacker-controllable by anyone who can send an invite, arbitrary HTML/markup can be injected into the email body rendered by the recipient's mail client.

Steps to Reproduce

Create a workspace with a name like </strong><img src=x onerror=alert(1)> or invite a user with a personal_message containing HTML tags.
Trigger a workspace invite to a real email address.
Open the received email in an HTML-rendering client.
Observe the injected markup renders instead of being displayed as plain text.

Expected Behavior

workspace_name and personal_message should be HTML-escaped (e.g. via html.escape()) before being inserted into html_body.

Screenshots / Logs

No response

Environment

Backend, SMTP email delivery

GSSoC '26

  • Yes, I am participating in GirlScript Summer of Code and would like to fix this.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggssocGirlScript Summer of Code 2026 issue/PR

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions