DP-542 Fix email sanitization issues

tomonorman · tomonorman · commit aefe0ceb6ce3 · 2022-07-28T10:14:42.000+09:00
diff --git a/src/Resources/BaseUserResource.php b/src/Resources/BaseUserResource.php
@@ -211,13 +211,13 @@ protected function sendInvite($userId, $deleteOnError = false)
                     'link'           => url(\Config::get('df.confirm_invite_url')) .
                         '?code=' . $user->confirm_code .
                         '&email=' . $email .
-                        '&username=' . $user->username .
+                        '&username=' . strip_tags($user->username) .
                         '&admin=' . $user->is_sys_admin,
-                    'first_name'     => $user->first_name,
-                    'last_name'      => $user->last_name,
-                    'name'           => $user->name,
+                    'first_name'     => strip_tags($user->first_name),
+                    'last_name'      => strip_tags($user->last_name),
+                    'name'           => strip_tags($user->name),
                     'email'          => $user->email,
-                    'phone'          => $user->phone,
+                    'phone'          => strip_tags($user->phone),
                     'content_header' => array_get($templateData, 'subject',
                         'You are invited to try DreamFactory.'),
                     'app_name'       => \Config::get('app.name'),
diff --git a/src/Resources/UserPasswordResource.php b/src/Resources/UserPasswordResource.php
@@ -410,6 +410,7 @@ protected static function userLogin($email, $password)
      */
     protected function sendPasswordResetEmail(User $user)
     {
+
         $email = $user->email;
 
         /** @var \DreamFactory\Core\User\Services\User $parent */
@@ -441,15 +442,15 @@ protected function sendPasswordResetEmail(User $user)
 
                 $data['to'] = $email;
                 $data['content_header'] = 'Password Reset';
-                $data['first_name'] = $user->first_name;
-                $data['last_name'] = $user->last_name;
-                $data['name'] = $user->name;
-                $data['phone'] = $user->phone;
+                $data['first_name'] = strip_tags($user->first_name);
+                $data['last_name'] = strip_tags($user->last_name);
+                $data['name'] = strip_tags($user->name);
+                $data['phone'] = strip_tags($user->phone);
                 $data['email'] = $user->email;
                 $data['link'] = url(\Config::get('df.confirm_reset_url')) .
                     '?code=' . $user->confirm_code .
                     '&email=' . $email .
-                    '&username=' . $user->username .
+                    '&username=' . strip_tags($user->username) .
                     '&admin=' . $user->is_sys_admin;
                 $data['confirm_code'] = $user->confirm_code;
 
