From 3862facaf251bd4455fe9ca23ea2abfe38d758a6 Mon Sep 17 00:00:00 2001 From: ychung-mot Date: Mon, 18 Nov 2024 09:47:06 -0800 Subject: [PATCH] chore: sanitize user input --- .../DelistingDtos/TakedownRequestCreateDto.cs | 1 - server/StrDss.Service/DelistingService.cs | 1 - .../EmailTemplates/ComplianceOrderFromListing.cs | 3 +-- .../EmailTemplates/EmailTemplateBase.cs | 13 +++++++++++-- .../StrDss.Service/EmailTemplates/TakedownNotice.cs | 6 +++--- .../EmailTemplates/TakedownNoticeFromListing.cs | 4 +--- .../EmailTemplates/TakedownRequest.cs | 4 ++-- .../EmailTemplates/TakedownRequestFromListing.cs | 4 +--- server/StrDss.Service/StrDss.Service.csproj | 1 + 9 files changed, 20 insertions(+), 17 deletions(-) diff --git a/server/StrDss.Model/DelistingDtos/TakedownRequestCreateDto.cs b/server/StrDss.Model/DelistingDtos/TakedownRequestCreateDto.cs index a076c295..408727c8 100644 --- a/server/StrDss.Model/DelistingDtos/TakedownRequestCreateDto.cs +++ b/server/StrDss.Model/DelistingDtos/TakedownRequestCreateDto.cs @@ -9,7 +9,6 @@ public class TakedownRequestCreateDto public string ListingUrl { get; set; } = ""; public List CcList { get; set; } = new List(); public bool IsWithStandardDetail { get; set; } - public string CustomDetailTxt { get; set; } = ""; [JsonIgnore] public List ToList { get; set; } = new List(); } diff --git a/server/StrDss.Service/DelistingService.cs b/server/StrDss.Service/DelistingService.cs index 9cfbaaa3..16d9328d 100644 --- a/server/StrDss.Service/DelistingService.cs +++ b/server/StrDss.Service/DelistingService.cs @@ -729,7 +729,6 @@ private async Task SendTakedownRequestAsync(TakedownRequestCreateDto dto, Organi InvolvedInOrganizationId = dto.PlatformId, RequestingOrganizationId = lg!.OrganizationId, IsWithStandardDetail = dto.IsWithStandardDetail, - CustomDetailTxt = dto.CustomDetailTxt, }; await _emailRepo.AddEmailMessage(emailEntity); diff --git a/server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs b/server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs index d2d008c7..116ec4c2 100644 --- a/server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs +++ b/server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs @@ -8,7 +8,6 @@ public ComplianceOrderFromListing(IEmailMessageService emailService) : base(emailService) { EmailMessageType = EmailMessageTypes.ComplianceOrder; - //From = Environment.GetEnvironmentVariable("STR_CEU_EMAIL") ?? From; Subject = "New mail regarding your short-term rental listing"; } @@ -23,7 +22,7 @@ public override string GetContent() return (Preview ? GetPreviewHeader() : "") + $@" Dear Host,

This message has been sent to you by B.C.'s Short-term Rental Compliance Unit regarding your short-term rental listing:
{Url}

-{Comment}
+{Sanitize(Comment)}
"; } diff --git a/server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs b/server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs index 8344e9b3..eefa9041 100644 --- a/server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs +++ b/server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs @@ -1,14 +1,18 @@ -using StrDss.Common; +using Ganss.Xss; +using StrDss.Common; using StrDss.Model; namespace StrDss.Service.EmailTemplates { public class EmailTemplateBase { - public IEmailMessageService _emailService { get; } + private IEmailMessageService _emailService { get; set; } + private HtmlSanitizer _sanitizer { get; set; } + public EmailTemplateBase(IEmailMessageService emailService) { _emailService = emailService; + _sanitizer = new HtmlSanitizer(); } public string Subject { get; set; } = ""; @@ -57,5 +61,10 @@ public async Task SendEmail() return await _emailService.SendEmailAsync(emailContent); } + + public string Sanitize(string? text) + { + return _sanitizer.Sanitize(text ?? ""); + } } } diff --git a/server/StrDss.Service/EmailTemplates/TakedownNotice.cs b/server/StrDss.Service/EmailTemplates/TakedownNotice.cs index 1dc50785..7bbc103f 100644 --- a/server/StrDss.Service/EmailTemplates/TakedownNotice.cs +++ b/server/StrDss.Service/EmailTemplates/TakedownNotice.cs @@ -23,11 +23,11 @@ public override string GetContent() return (Preview ? GetPreviewHeader() : "") + $@" Dear Host,

Short-term rental accommodations in your community are regulated by your local government. The {LgName} has determined that the following short-term rental listing is not in compliance with an applicable local government business licence requirement:

-{Url}

-Listing ID Number: {ListingId}

+{Sanitize(Url)}

+Listing ID Number: {Sanitize(ListingId)}

Under the provincial Short-Term Rental Accommodations Act and its regulations, the local government may submit a request to the short-term rental platform to cease providing platform services (e.g., remove this listing from the platform and cancel bookings) within a period of 5-90 days after the date of delivery of this Notice. Short-term rental platforms are required to comply with the local government’s request within 5 days of receiving the request.

This Notice has been issued by {LgName}.

-{Comment}

+{Sanitize(Comment)}

For more information on this Notice, or local government short-term rental business licences, please contact your local government.

For more information on the Short-term Rental Accommodations Act, please visit: New rules for short-term rentals - Province of British Columbia (gov.bc.ca).

diff --git a/server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs b/server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs index 87485129..46f1a399 100644 --- a/server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs +++ b/server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs @@ -1,6 +1,4 @@ -using StrDss.Common; - -namespace StrDss.Service.EmailTemplates +namespace StrDss.Service.EmailTemplates { public class TakedownNoticeFromListing : TakedownNotice { diff --git a/server/StrDss.Service/EmailTemplates/TakedownRequest.cs b/server/StrDss.Service/EmailTemplates/TakedownRequest.cs index b2400ae0..ea1b2230 100644 --- a/server/StrDss.Service/EmailTemplates/TakedownRequest.cs +++ b/server/StrDss.Service/EmailTemplates/TakedownRequest.cs @@ -20,8 +20,8 @@ public override string GetContent() return (Preview ? GetPreviewHeader() : "") + $@" A takedown request for the following short-term rental listing was submitted to the Province of B.C.’s Short-term Rental Data Portal and will be delivered to the platform at 11:50pm PST tonight:

-{Url}

-Listing ID Number: {ListingId}

+{Sanitize(Url)}

+Listing ID Number: {Sanitize(ListingId)}

Under the Short-Term Rental Accommodations Act and its regulations, the platform is required to comply with the request within 5 days from the date of receipt of the request. If the platform fails to comply with the request (e.g., remove the listing), local governments can escalate the matter to the Director of the Provincial STR Compliance and Enforcement Unit at: CEUescalations@gov.bc.ca.

This email has been automatically generated. Please do not reply to this email. "; diff --git a/server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs b/server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs index 430e6fa8..6c3f2ca2 100644 --- a/server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs +++ b/server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs @@ -1,6 +1,4 @@ -using StrDss.Common; - -namespace StrDss.Service.EmailTemplates +namespace StrDss.Service.EmailTemplates { public class TakedownRequestFromListing : TakedownRequest { diff --git a/server/StrDss.Service/StrDss.Service.csproj b/server/StrDss.Service/StrDss.Service.csproj index 0ac4750c..b2b87aa4 100644 --- a/server/StrDss.Service/StrDss.Service.csproj +++ b/server/StrDss.Service/StrDss.Service.csproj @@ -7,6 +7,7 @@ +