Merge pull request #788 from bcgov/yj

chore: sanitize user input
bcgov · Nov 18, 2024 · e2c4bb6 · e2c4bb6
2 parents 48a4f68 + 3862fac
commit e2c4bb6
Show file tree

Hide file tree

Showing 9 changed files with 20 additions and 17 deletions.
diff --git a/server/StrDss.Model/DelistingDtos/TakedownRequestCreateDto.cs b/server/StrDss.Model/DelistingDtos/TakedownRequestCreateDto.cs
@@ -9,7 +9,6 @@ public class TakedownRequestCreateDto
         public string ListingUrl { get; set; } = "";
         public List<string> CcList { get; set; } = new List<string>();
         public bool IsWithStandardDetail { get; set; }
-        public string CustomDetailTxt { get; set; } = "";
         [JsonIgnore]
         public List<string> ToList { get; set; } = new List<string>();
     }

diff --git a/server/StrDss.Service/DelistingService.cs b/server/StrDss.Service/DelistingService.cs
@@ -729,7 +729,6 @@ private async Task SendTakedownRequestAsync(TakedownRequestCreateDto dto, Organi
                 InvolvedInOrganizationId = dto.PlatformId,
                 RequestingOrganizationId = lg!.OrganizationId,
                 IsWithStandardDetail = dto.IsWithStandardDetail,
-                CustomDetailTxt = dto.CustomDetailTxt,
             };
 
             await _emailRepo.AddEmailMessage(emailEntity);

diff --git a/server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs b/server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs
@@ -8,7 +8,6 @@ public ComplianceOrderFromListing(IEmailMessageService emailService)
             : base(emailService)
         {
             EmailMessageType = EmailMessageTypes.ComplianceOrder;
-            //From = Environment.GetEnvironmentVariable("STR_CEU_EMAIL") ?? From;
             Subject = "New mail regarding your short-term rental listing";
         }
 
@@ -23,7 +22,7 @@ public override string GetContent()
             return (Preview ? GetPreviewHeader() : "") + $@"
 Dear Host,<br/><br/>
 <b>This message has been sent to you by B.C.'s Short-term Rental Compliance Unit regarding your short-term rental listing:</b><br/><b>{Url}</b><br/><br/>
-<b>{Comment}</b><br/>
+<b>{Sanitize(Comment)}</b><br/>
 ";
         }
 

diff --git a/server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs b/server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs
@@ -1,14 +1,18 @@
-using StrDss.Common;
+using Ganss.Xss;
+using StrDss.Common;
 using StrDss.Model;
 
 namespace StrDss.Service.EmailTemplates
 {
     public class EmailTemplateBase
     {
-        public IEmailMessageService _emailService { get; }
+        private IEmailMessageService _emailService { get; set; }
+        private HtmlSanitizer _sanitizer { get; set; }
+
         public EmailTemplateBase(IEmailMessageService emailService)
         {
             _emailService = emailService;
+            _sanitizer = new HtmlSanitizer();
         }
 
         public string Subject { get; set;  } = "";
@@ -57,5 +61,10 @@ public async Task<string> SendEmail()
 
             return await _emailService.SendEmailAsync(emailContent);
         }
+
+        public string Sanitize(string? text)
+        {
+            return _sanitizer.Sanitize(text ?? "");
+        }
     }
 }
diff --git a/server/StrDss.Service/EmailTemplates/TakedownNotice.cs b/server/StrDss.Service/EmailTemplates/TakedownNotice.cs
@@ -23,11 +23,11 @@ public override string GetContent()
             return (Preview ? GetPreviewHeader() : "") + $@"
 Dear Host,<br/><br/>
 Short-term rental accommodations in your community are regulated by your local government. The {LgName} has determined that the following short-term rental listing is not in compliance with an applicable local government business licence requirement:<br/><br/>
-<b>{Url}</b><br/><br/>
-Listing ID Number: <b>{ListingId}</b><br/><br/>
+<b>{Sanitize(Url)}</b><br/><br/>
+Listing ID Number: <b>{Sanitize(ListingId)}</b><br/><br/>
 Under the provincial <a href='https://www.bclaws.gov.bc.ca/civix/document/id/bills/billsprevious/4th42nd:gov35-1'><i>Short-Term Rental Accommodations Act</i></a> and its regulations, the local government may submit a request to the short-term rental platform to cease providing platform services (e.g., remove this listing from the platform and cancel bookings) within a period of 5-90 days after the date of delivery of this Notice. Short-term rental platforms are required to comply with the local government’s request within 5 days of receiving the request.<br/><br/>
 This Notice has been issued by {LgName}.<br/><br/>
-{Comment}<br/><br/>
+{Sanitize(Comment)}<br/><br/>
 For more information on this Notice, or local government short-term rental business licences, please contact your local government.<br/><br/>
 For more information on the <i>Short-term Rental Accommodations Act</i>, please visit: <a href='https://www2.gov.bc.ca/gov/content/housing-tenancy/short-term-rentals'>New rules for short-term rentals - Province of British Columbia (gov.bc.ca)</a>.<br/><br/>
 

diff --git a/server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs b/server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs
@@ -1,6 +1,4 @@
-using StrDss.Common;
-
-namespace StrDss.Service.EmailTemplates
+namespace StrDss.Service.EmailTemplates
 {
     public class TakedownNoticeFromListing : TakedownNotice
     {

diff --git a/server/StrDss.Service/EmailTemplates/TakedownRequest.cs b/server/StrDss.Service/EmailTemplates/TakedownRequest.cs
@@ -20,8 +20,8 @@ public override string GetContent()
 
             return (Preview ? GetPreviewHeader() : "") + $@"
 A takedown request for the following short-term rental listing was submitted to the Province of B.C.’s Short-term Rental Data Portal and will be delivered to the platform at 11:50pm PST tonight:<br/><br/>
-<b>{Url}</b><br/><br/>
-Listing ID Number: <b>{ListingId}</b><br/><br/>
+<b>{Sanitize(Url)}</b><br/><br/>
+Listing ID Number: <b>{Sanitize(ListingId)}</b><br/><br/>
 Under the <a href='https://www.bclaws.gov.bc.ca/civix/document/id/bills/billsprevious/4th42nd:gov35-1'>Short-Term Rental Accommodations Act</a> and its regulations, the platform is required to comply with the request within 5 days from the date of receipt of the request. If the platform fails to comply with the request (e.g., remove the listing), local governments can escalate the matter to the Director of the Provincial STR Compliance and Enforcement Unit at: <a href='mailto: [email protected]'>[email protected]</a>.<br/><br/>
 This email has been automatically generated. Please do not reply to this email.
 ";

diff --git a/server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs b/server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs
@@ -1,6 +1,4 @@
-using StrDss.Common;
-
-namespace StrDss.Service.EmailTemplates
+namespace StrDss.Service.EmailTemplates
 {
     public class TakedownRequestFromListing : TakedownRequest
     {

diff --git a/server/StrDss.Service/StrDss.Service.csproj b/server/StrDss.Service/StrDss.Service.csproj
@@ -7,6 +7,7 @@
 	</PropertyGroup>
 	<ItemGroup>
 		<PackageReference Include="CsvHelper" Version="31.0.2" />
+		<PackageReference Include="HtmlSanitizer" Version="8.1.870" />
 		<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0" />
 		<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
 		<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.2" />