fix(email): prevent organization invite autolinks (#4088)

* fix(email): prevent organization invite autolinks

* fix(orgs): restrict organization name characters

* fix(orgs): allow existing organization name formats

* test(orgs): remove unrelated invite autolink assertion

* fix(email): simplify autolink neutralization

Author: RSO

apps/web/src/lib/email.test.ts

@@ -0,0 +1,13 @@
+import { renderNonAutolinkedText } from '@/lib/email';
+
+describe('email rendering helpers', () => {
+  it('escapes HTML while neutralizing URL autolinking', () => {
+    const rendered = renderNonAutolinkedText(
+      '<b>https://evil.example</b> www.bad.example acme.com'
+    );
+
+    expect(rendered.html).toBe(
+      '&lt;b&gt;https:/&#8203;/&#8203;evil.&#8203;example&lt;/&#8203;b&gt; www.&#8203;bad.&#8203;example acme.&#8203;com'
+    );
+  });
+});

apps/web/src/lib/email.ts

@@ -79,6 +79,10 @@ export class RawHtml {
 
 type TemplateVars = Record<string, string | RawHtml>;
 
+export function renderNonAutolinkedText(str: string): RawHtml {
+  return new RawHtml(escapeHtml(str).replace(/[/.]/g, '$&&#8203;'));
+}
+
 export function renderTemplate(name: string, vars: TemplateVars): string {
   const templatePath = path.join(process.cwd(), 'src', 'emails', `${name}.html`);
   const html = fs.readFileSync(templatePath, 'utf-8');
@@ -203,7 +207,7 @@ export async function sendOrganizationInviteEmail(
     to: data.to,
     templateName: 'orgInvitation',
     templateVars: {
-      organization_name: data.organizationName,
+      organization_name: renderNonAutolinkedText(data.organizationName),
       inviter_name: data.inviterName,
       accept_invite_url: data.acceptInviteUrl,
     },