Description of the Bug
send_workspace_invite_email interpolates workspace_name and personal_message directly into html_body via f-strings with no escaping (e.g. <strong>'{workspace_name}'</strong> and the personal_block paragraph). Since workspace_name is user-supplied (workspace creation) and personal_message is attacker-controllable by anyone who can send an invite, arbitrary HTML/markup can be injected into the email body rendered by the recipient's mail client.
Steps to Reproduce
Create a workspace with a name like </strong><img src=x onerror=alert(1)> or invite a user with a personal_message containing HTML tags.
Trigger a workspace invite to a real email address.
Open the received email in an HTML-rendering client.
Observe the injected markup renders instead of being displayed as plain text.
Expected Behavior
workspace_name and personal_message should be HTML-escaped (e.g. via html.escape()) before being inserted into html_body.
Screenshots / Logs
No response
Environment
Backend, SMTP email delivery
GSSoC '26
Description of the Bug
send_workspace_invite_emailinterpolatesworkspace_nameandpersonal_messagedirectly into html_body via f-strings with no escaping (e.g.<strong>'{workspace_name}'</strong>and thepersonal_blockparagraph). Since workspace_name is user-supplied (workspace creation) andpersonal_messageis attacker-controllable by anyone who can send an invite, arbitrary HTML/markup can be injected into the email body rendered by the recipient's mail client.Steps to Reproduce
Create a workspace with a name like
</strong><img src=x onerror=alert(1)>or invite a user with a personal_message containing HTML tags.Trigger a workspace invite to a real email address.
Open the received email in an HTML-rendering client.
Observe the injected markup renders instead of being displayed as plain text.
Expected Behavior
workspace_nameandpersonal_messageshould be HTML-escaped(e.g. via html.escape())before being inserted intohtml_body.Screenshots / Logs
No response
Environment
Backend, SMTP email delivery
GSSoC '26