mroderick / codebar-planner
95%
master: 95%

Repo Added 11 Jul 2025 08:20PM UTC

Token vPb66DExHmn8kKCIdxCr3cvXvGCjXCICV regen

Build 50 Last

Files 174

Badge

Embed ▾

LAST BUILD ON BRANCH fix/event-description-xss-vulnerability
branch: fix/event-description-xss-vulnerability

CHANGE BRANCH
x

Reset

Sync Branches

fix/event-description-xss-vulnerability

add-docs

add-editor-config

add-scout-apm

add-sitemap-generator

attempt-to-fix-issue-template

bundle-ignore-junk

freeze-postgres-version

imagemagick-check

improve-intro-text

improve-language

improve-repository-configs

increase-delayed-job-max-runtime

issue-2367-workshop-feedback

link-to-chapters-from-pills

lock-gem-platforms

make-event-rendering-faster

optimise-images

policy-tests

remove-2024-impact-report-banner

remove-bootsnap

remove-go-squared

remove-google-analytics

remove-meta-partial

remove-puma-cluster-mode-config

remove-skylight

remove-twitter

remove-unused-i18n-features

remove-unused-new-relic

speedup-ci-tests

stop-pinning-image-processing

update-year-for-impact-report

upgrade-ruby

use-playwright

use-rails-7-1-defaults

Committed 20 Jan 2026 06:19PM UTC coverage: 95.04%. First build

Build # 21182606742

Build Type

push

github

Committed by

mroderick

Commit Message

Fix XSS vulnerability in event invitation emails

Replace `.html_safe` with `sanitize()` for event descriptions in email
templates to prevent potential XSS attacks while still allowing safe HTML
formatting tags.

Changes:
- Replace @event.description.html_safe with sanitize(@event.description)
  in invite_student.html.haml
- Replace @event.description.html_safe with sanitize(@event.description)
  in invite_coach.html.haml
- Add XSS protection test specs to verify dangerous tags are stripped
  while safe content is preserved

The sanitize helper uses Rails' built-in SafeListSanitizer which:
- Strips dangerous tags like <script> and event handlers (onclick, etc.)
- Allows safe HTML formatting tags (p, strong, em, a, br, etc.)
- Matches the pattern already used in non-email views throughout the codebase

Security: Fixes potential XSS vulnerability where malicious HTML/JavaScript
in event descriptions could be executed in invitation emails.

Run Details

3238 of 3407 relevant lines covered (95.04%)

80.45 hits per line

Relevant lines Covered

3407 RELEVANT LINES 3238 COVERED LINES

80.45 HITS PER LINE

Source Files on fix/event-description-xss-vulnerability

Recent builds

Builds	Branch	Commit	Type	Ran	Committer	Via	Coverage
21182606742	fix/event-description-xss-vulnerability	Fix XSS vulnerability in event invitation emails Replace `.html_safe` with `sanitize()` for event descriptions in email templates to prevent potential XSS attacks while still allowing safe HTML formatting tags. Changes: - Replace @event.descript...	push	20 Jan 2026 06:28PM UTC	mroderick	github	95.04

See All Builds (50)

Badge your Repo: codebar-planner

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Embed ▾

Refresh

mroderick / codebar-planner
95%
master: 95%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

CHANGE BRANCH
x

Relevant lines Covered

Source Files on fix/event-description-xss-vulnerability

Recent builds

Badge your Repo: codebar-planner

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

mroderick / codebar-planner 95% master: 95%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

CHANGE BRANCH x

Relevant lines Covered

Source Files on fix/event-description-xss-vulnerability

Recent builds

Badge your Repo: codebar-planner

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

mroderick / codebar-planner
95%
master: 95%

README BADGES
x

CHANGE BRANCH
x

README BADGES
x