fix: Sanitize email template body with HTMLPurifier (#1105)

daveearley · web-flow · commit 54e006837bbc · 2026-03-17T08:39:26.000Z
diff --git a/backend/app/Services/Application/Handlers/EmailTemplate/CreateEmailTemplateHandler.php b/backend/app/Services/Application/Handlers/EmailTemplate/CreateEmailTemplateHandler.php
@@ -8,12 +8,14 @@
 use HiEvents\Repository\Interfaces\EmailTemplateRepositoryInterface;
 use HiEvents\Services\Application\Handlers\EmailTemplate\DTO\UpsertEmailTemplateDTO;
 use HiEvents\Services\Domain\Email\EmailTemplateService;
+use HiEvents\Services\Infrastructure\HtmlPurifier\HtmlPurifierService;
 
 class CreateEmailTemplateHandler
 {
     public function __construct(
         private readonly EmailTemplateRepositoryInterface $emailTemplateRepository,
         private readonly EmailTemplateService             $emailTemplateService,
+        private readonly HtmlPurifierService              $purifier,
     )
     {
     }
@@ -50,7 +52,7 @@ public function handle(UpsertEmailTemplateDTO $dto): EmailTemplateDomainObject
             'event_id' => $dto->event_id,
             'template_type' => $dto->template_type->value,
             'subject' => $dto->subject,
-            'body' => $dto->body,
+            'body' => $this->purifier->purify($dto->body),
             'cta' => $dto->cta,
             'engine' => $dto->engine->value,
             'is_active' => $dto->is_active,
diff --git a/backend/app/Services/Application/Handlers/EmailTemplate/UpdateEmailTemplateHandler.php b/backend/app/Services/Application/Handlers/EmailTemplate/UpdateEmailTemplateHandler.php
@@ -9,12 +9,14 @@
 use HiEvents\Repository\Interfaces\EmailTemplateRepositoryInterface;
 use HiEvents\Services\Application\Handlers\EmailTemplate\DTO\UpsertEmailTemplateDTO;
 use HiEvents\Services\Domain\Email\EmailTemplateService;
+use HiEvents\Services\Infrastructure\HtmlPurifier\HtmlPurifierService;
 
 class UpdateEmailTemplateHandler
 {
     public function __construct(
         private readonly EmailTemplateRepositoryInterface $emailTemplateRepository,
-        private readonly EmailTemplateService $emailTemplateService
+        private readonly EmailTemplateService $emailTemplateService,
+        private readonly HtmlPurifierService $purifier,
     ) {
     }
 
@@ -47,7 +49,7 @@ public function handle(UpsertEmailTemplateDTO $dto): EmailTemplateDomainObject
 
         return $this->emailTemplateRepository->updateFromArray($template->getId(), [
             'subject' => $dto->subject,
-            'body' => $dto->body,
+            'body' => $this->purifier->purify($dto->body),
             'cta' => $dto->cta,
             'engine' => $dto->engine->value,
             'is_active' => $dto->is_active,

Original file line number	Diff line number	Diff line change
`@@ -8,12 +8,14 @@`
`8`	`8`	`use HiEvents\Repository\Interfaces\EmailTemplateRepositoryInterface;`
`9`	`9`	`use HiEvents\Services\Application\Handlers\EmailTemplate\DTO\UpsertEmailTemplateDTO;`
`10`	`10`	`use HiEvents\Services\Domain\Email\EmailTemplateService;`
	`11`	`+use HiEvents\Services\Infrastructure\HtmlPurifier\HtmlPurifierService;`
`11`	`12`
`12`	`13`	`class CreateEmailTemplateHandler`
`13`	`14`	`{`
`14`	`15`	`public function __construct(`
`15`	`16`	`private readonly EmailTemplateRepositoryInterface $emailTemplateRepository,`
`16`	`17`	`private readonly EmailTemplateService $emailTemplateService,`
	`18`	`+ private readonly HtmlPurifierService $purifier,`
`17`	`19`	`)`
`18`	`20`	`{`
`19`	`21`	`}`
`@@ -50,7 +52,7 @@ public function handle(UpsertEmailTemplateDTO $dto): EmailTemplateDomainObject`
`50`	`52`	`'event_id' => $dto->event_id,`
`51`	`53`	`'template_type' => $dto->template_type->value,`
`52`	`54`	`'subject' => $dto->subject,`
`53`		`- 'body' => $dto->body,`
	`55`	`+ 'body' => $this->purifier->purify($dto->body),`
`54`	`56`	`'cta' => $dto->cta,`
`55`	`57`	`'engine' => $dto->engine->value,`
`56`	`58`	`'is_active' => $dto->is_active,`