[buddypress-trac] [BuddyPress Trac] #7948: HTML sanitization for user-generated content in notification emails
buddypress-trac
noreply at wordpress.org
Mon Aug 20 18:39:38 UTC 2018
#7948: HTML sanitization for user-generated content in notification emails
--------------------------+-----------------------------
Reporter: boonebgorges | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Core | Version:
Severity: normal | Keywords: 2nd-opinion
--------------------------+-----------------------------
[10479] migrated email notifications over to `bp_send_email()`. In the old
non-HTML system, we stripped all tags from user-provided content before
assembling the email, because HTML wasn't supported. We maintained this
convention after the change, and we run content through
`wp_strip_all_tags()` before passing it to `bp_send_email()`.
I'm hoping that @djpaul can provide some of the original motivation for
this. I'm assuming it was mostly because rendering HTML in emails is
really hard, and it was one more thing to worry about; also, we were
putting user-provided content into a `blockquote`, which made the problem
of embedded content even more potentially complex.
I've implemented `bp_send_email()` integration in a few plugins, and have
run into problems when I don't strip tags from `usermessage`. HTML
generally works fine, but there are certain things that can break. Nested
`blockquotes` cause problem, as do inline images that are wider than 600px
(the width of the BP email template). Since `bp_send_email()` doesn't do
any validation or sanitization of `usermessage` - it doesn't need to, for
core emails - these issues are allowed to bleed through into the email
content.
I can work around these issues in the plugins, but the issues are likely
to be shared by any plugin using `bp_send_email()`, so I wanted to gauge
whether others (especially @djpaul) think it's worth exploring the
introduction of a few pieces of validation into BP core itself. I was
thinking of starting by a tool that parses `img` tags and ensures that
`width` can never be more than `600`. But if others think that this is
insane to try to handle in BP, we could just add something to the docs
that explains that `usermessage` is expected to be plaintext, and clients
are responsible for their own sanitization if they choose to pass HTML.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7948>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list