Description
In the campaign builder step editor, users can write rich email copy. If a user pastes or inputs malicious HTML code (such as <script>alert('XSS')</script>), the email sending tasks could process it, creating a cross-site scripting (XSS) vulnerability. We need backend sanitization.
User & Contributor Value
- Contributors: Learn HTML sanitization libraries (e.g.
bleach or html-sanitizer in Python) and custom serializer field validation.
- Users: High security. Prevents malicious scripts from being stored in the database or executed.
Code Locations
- backend/campaigns/serializers.py
Implementation Guide
- Add
bleach or standard HTML sanitization library to backend dependencies.
- In
SequenceStepSerializer.validate_template_body, run a sanitizing script that strips scripts, iframe codes, and unapproved tags before saving.
Description
In the campaign builder step editor, users can write rich email copy. If a user pastes or inputs malicious HTML code (such as
<script>alert('XSS')</script>), the email sending tasks could process it, creating a cross-site scripting (XSS) vulnerability. We need backend sanitization.User & Contributor Value
bleachorhtml-sanitizerin Python) and custom serializer field validation.Code Locations
Implementation Guide
bleachor standard HTML sanitization library to backend dependencies.SequenceStepSerializer.validate_template_body, run a sanitizing script that strips scripts, iframe codes, and unapproved tags before saving.