[IMPROVE] Escape parameters before send them to email template (#11644)

packages/rocketchat-lib/server/functions/saveUser.js

@@ -141,9 +141,9 @@ RocketChat.saveUser = function(userId, userData) {
 
 			subject = RocketChat.placeholders.replace(subject);
 			html = RocketChat.placeholders.replace(html, {
-				name: userData.name,
-				email: userData.email,
-				password: userData.password
+				name: s.escapeHTML(userData.name),
+				email: s.escapeHTML(userData.email),
+				password: s.escapeHTML(userData.password)
 			});
 
 			const email = {

packages/rocketchat-lib/server/methods/sendInvitationEmail.js

 import _ from 'underscore';
+import s from 'underscore.string';
 
 Meteor.methods({
 	sendInvitationEmail(emails) {
@@ -40,7 +41,7 @@ Meteor.methods({
 		validEmails.forEach(email => {
 			this.unblock();
 			html = RocketChat.placeholders.replace(html, {
-				email
+				email: s.escapeHTML(email)
 			});
 			try {
 				Email.send({

packages/rocketchat-mailer/server/functions/sendMail.js

 /*globals Mailer */
+import s from 'underscore.string';
+
 Mailer.sendMail = function(from, subject, body, dryrun, query) {
 
 	const rfcMailPatternWithName = /^(?:.*<)?([a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*)(?:>?)$/;
@@ -60,8 +62,8 @@ Mailer.sendMail = function(from, subject, body, dryrun, query) {
 					_id: user._id,
 					createdAt: user.createdAt.getTime()
 				})),
-				name: user.name,
-				email
+				name: s.escapeHTML(user.name),
+				email: s.escapeHTML(email)
 			});
 			email = `${ user.name } <${ email }>`;
 			if (rfcMailPatternWithName.test(email)) {

server/lib/accounts.js

@@ -27,9 +27,9 @@ Accounts.emailTemplates.userToActivate = {
 		const email = options.reason ? 'Accounts_Admin_Email_Approval_Needed_With_Reason_Default' : 'Accounts_Admin_Email_Approval_Needed_Default';
 
 		const html = RocketChat.placeholders.replace(TAPi18n.__(email), {
-			name: options.name,
-			email: options.email,
-			reason: options.reason
+			name: s.escapeHTML(options.name),
+			email: s.escapeHTML(options.email),
+			reason: s.escapeHTML(options.reason)
 		});
 
 		return header + html + footer;
@@ -52,7 +52,7 @@ Accounts.emailTemplates.userActivated = {
 		const action = active ? (username ? 'Activated' : 'Approved') : 'Deactivated';
 
 		const html = RocketChat.placeholders.replace(TAPi18n.__(`Accounts_Email_${ action }`), {
-			name
+			name: s.escapeHTML(name)
 		});
 
 		return header + html + footer;
@@ -99,8 +99,8 @@ Accounts.emailTemplates.enrollAccount.html = function(user = {}/*, url*/) {
 	const footer = RocketChat.placeholders.replace(RocketChat.settings.get('Email_Footer') || '');
 
 	html = RocketChat.placeholders.replace(html, {
-		name: user.name,
-		email: user.emails && user.emails[0] && user.emails[0].address
+		name: s.escapeHTML(user.name),
+		email: user.emails && user.emails[0] && s.escapeHTML(user.emails[0].address)
 	});
 
 	return header + html + footer;

server/methods/sendForgotPasswordEmail.js

@@ -13,9 +13,14 @@ Meteor.methods({
 			email = (user.emails || []).map(item => item.address).find(userEmail => regex.test(userEmail));
 
 			if (RocketChat.settings.get('Forgot_Password_Customized')) {
-				const data = { name: user.name, email };
-				const subject = RocketChat.placeholders.replace(RocketChat.settings.get('Forgot_Password_Email_Subject') || '', data);
-				const html = RocketChat.placeholders.replace(RocketChat.settings.get('Forgot_Password_Email') || '', data);
+				const subject = RocketChat.placeholders.replace(RocketChat.settings.get('Forgot_Password_Email_Subject') || '', {
+					name: user.name,
+					email
+				});
+				const html = RocketChat.placeholders.replace(RocketChat.settings.get('Forgot_Password_Email') || '', {
+					name: s.escapeHTML(user.name),
+					email: s.escapeHTML(email)
+				});
 
 				Accounts.emailTemplates.from = `${ RocketChat.settings.get('Site_Name') } <${ RocketChat.settings.get('From_Email') }>`;