feat(templates): add support for HTML templates#643
Open
Mirrrek wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
isHTML?: boolean;field toEmailTemplate, deciding if thebody: stringshould be escaped before template use or not. TheTemplateFormhas an additional button to select between plaintext mode and HTML mode.Changes
EmailTemplatehas newisHTML?: booleanfield (since it's optional, it should be backwards compatible)TemplateFormhas new "HTML" checkbox to indicate the body is HTMLEmailComposeronly escapes template body ifisHTMLis falsyPlaceholderFillModalusesdangerouslySetInnerHTMLifisHTMLis trueimportTemplatesdoes not sanitize (at all!) template body ifisHTMLis trueRelated Issues
Closes #620
Type of Change
Checklist
npm run typecheck && npm run lintand there are no errorsnpm run build)locales/) if my changes affect user-facing textScreenshots / Demo
Before:


After:


Notes for Reviewers
I'm getting lint warnings from other parts of the code and a Next.js runtime error
Failed to create address book. None of those are caused by the changes.The button label (currently just "HTML") should ideally be changed to "Is HTML" (or similar), but that would require translations.
Security concerns
No sanitization is performed on the templates. This shouldn't be too much of an issue since the templates are written by the user and not downloaded from any other source. Still, however, users may copy HTML from unknown sources or, even worse, import templates without even seeing them. Those templates may contain arbitrary code and lead to Self-XSS.
Ideally, the templates should be sanitized the same way emails are in
EmailViewer(at least usingDOMPurify). Isolating them in an iframe likely won't be an option since that would require changes to theRichTextEditor.For now, at least when importing templates, a confirmation modal with a warning should show up for templates written in HTML.