https://discord.umbraco.com logo
Join Discord
Powered by
Customising Umbraco Invite User Email
# help-with-umbraco
c
Hi all, Is it possible to alter/update the default umbraco invite user email? We are running v10.x.x and have run into an issue where the default email template does not html encode the message entered within the admin. This has been flagged as a potential security issue for our application and we need to address it. Also does anyone know if this is by design or should I report it as an issue in Github? Should also mention that we are self hosting and not using the cloud, in case that's relevant to the discussion Thanks,
m
https://github.com/umbraco/Umbraco-CMS/blob/contrib/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs#L569-L620 It gets the message from the localised xml https://github.com/umbraco/Umbraco-CMS/blob/contrib/src/Umbraco.Infrastructure/Mail/EmailSender.cs So you could override that with your own html.. https://docs.umbraco.com/umbraco-cms/extending/language-files#user-language-files If it's actually at the email send that you want to encode the whole thing.. You can replace the IEmailSender with your own concrete implementation? based around https://github.com/umbraco/Umbraco-CMS/blob/contrib/src/Umbraco.Infrastructure/Mail/EmailSender.cs and encode the message body there?
Copy code
var mailMessage = message.ToMimeMessage(_globalSettings.Smtp.From);
        if (_globalSettings.Smtp.DeliveryMethod == SmtpDeliveryMethod.Network)
        {
            await client.SendAsync(mailMessage);
        }
        else
        {
            client.Send(mailMessage);
        }
Actually rereading your message..
Copy code
var emailBody = _localizedTextService.Localize("user", "inviteEmailCopyFormat",
            // Ensure the culture of the found user is used for the email!
            UmbracoUserExtensions.GetUserCulture(to?.Language, _localizedTextService, _globalSettings),
            new[] { userDisplay?.Name, from, message, inviteUri.ToString(), senderEmail });
It's the token replacement that you say isn't encoding.. https://github.com/umbraco/Umbraco-CMS/blob/contrib/src/Umbraco.Core/Services/LocalizedTextService.cs#L268-L280
Copy code
internal static string ParseTokens(string value, IDictionary<string, string?>? tokens)
    {
        if (tokens == null || tokens.Any() == false)
        {
            return value;
        }

        foreach (KeyValuePair<string, string?> token in tokens)
        {
            value = value.Replace(string.Concat("%", token.Key, "%"), token.Value);
        }

        return value;
    }
🤷‍♂️
c
Thanks Mike I'll have a read through shortly. Just being pulled into a meeting.
Hi Again, yes i believe you have nailed the bit of code that is relevant. It would appear that the %2% token is being replaced with the emailbody string and there is no html encoding of that string being carried out. https://github.com/umbraco/Umbraco-CMS/blob/ea642d69e5e71fec6f0203433b7ddbabb582ef6a/src/Umbraco.Core/EmbeddedResources/Lang/en.xml#L2194 I'm not certain of the ramifications of overriding the "ParseTokens" method or if it is even possible, leaving html encoding the value before this in the "PostUserInvite" action or the subsequent "SendUserInviteEmailAsync" method referenced above. As this is an underlying Umbraco CMS piece of code that leads to HTML injection being possible I will raise an issue on Github for the time being while I continue to dig.
s
Please report security issues at security@umbraco.com, not on a public issue tracker.
c
Thanks, spotted this when i went to github. I have sent an email as suggested.
Sent to 'security@umbraco.dk' as this was the email listed on github. Is this equivalent or should i resend to the .com email aswell? https://github.com/umbraco/Umbraco-CMS/security/policy
s
Yeah sorry, same alias, both work! Thanks!
20 Views
PreviousNext
Powered by