1
1
mirror of https://github.com/theoludwig/theoludwig.git synced 2024-12-08 00:44:30 +01:00

fix(pages/api): escape html in send-email

This commit is contained in:
divlo 2021-04-20 19:56:02 +02:00
parent 3e18536c2e
commit 4b7d184c91

View File

@ -17,21 +17,19 @@ const emailTransporter = nodemailer.createTransport({
} }
}) })
export default async ( const handler = async (
request: NextApiRequest, request: NextApiRequest,
response: NextApiResponse response: NextApiResponse
): Promise<any> => { ): Promise<any> => {
if (request.method !== 'POST') { if (request.method !== 'POST') {
return response.redirect('/404') return response.redirect('/404')
} }
const { name, email, subject, message } = request.body as {
let { name, email, subject, message } = request.body as {
name: string name: string
email: string email: string
subject: string subject: string
message: string message: string
} }
if ( if (
validator.isEmpty(name) || validator.isEmpty(name) ||
validator.isEmpty(email) || validator.isEmpty(email) ||
@ -40,26 +38,18 @@ export default async (
) { ) {
return response.status(400).json({ type: 'requiredFields' }) return response.status(400).json({ type: 'requiredFields' })
} }
if (!validator.isEmail(email)) { if (!validator.isEmail(email)) {
return response.status(400).json({ type: 'invalidEmail' }) return response.status(400).json({ type: 'invalidEmail' })
} }
email = validator.normalizeEmail(email) as string
message = validator.trim(message)
message = validator.escape(message)
subject = validator.trim(subject)
subject = validator.escape(subject)
try { try {
await emailTransporter.sendMail({ await emailTransporter.sendMail({
from: '"Divlo" <contact@divlo.fr>', from: '"Divlo" <contact@divlo.fr>',
to: email, to: email,
subject: `Contact - ${subject}`, subject: `Contact - ${validator.escape(subject)}`,
html: ` html: `
<b>Name:</b> ${name} <br/> <b>Name:</b> ${validator.escape(name)} <br/>
<b>Email:</b> ${email} <br/> <b>Email:</b> ${validator.escape(email)} <br/>
<b>Message:</b> ${message} <b>Message:</b> ${validator.escape(message)}
` `
}) })
return response.status(201).json({ type: 'success' }) return response.status(201).json({ type: 'success' })
@ -67,3 +57,5 @@ export default async (
return response.status(500).json({ type: 'serverError' }) return response.status(500).json({ type: 'serverError' })
} }
} }
export default handler