fix: properly implement sanitization in Var

Author: cyyynthia

backend/data/src/main/kotlin/io/tolgee/email/EmailMessageSource.kt

@@ -30,7 +30,8 @@ import java.util.regex.Pattern
  * Cannot be written as a subclass of ICUReloadableResourceBundleMessageSource as its `getMessage` methods are final.
  */
 class EmailMessageSource(
-	private val provider: ICUMessageSource
+	private val provider: ICUMessageSource,
+	private val emailTemplateUtils: EmailTemplateUtils
 ) : ICUMessageSource {
 	private var counter = 0L
 
@@ -103,14 +104,7 @@ class EmailMessageSource(
 	private fun makeRef(): String = "intl-ref-${count()}"
 
 	private fun String.postProcessMessage(code: String): String {
-		var str = this.replace("\n", "<br/>")
-			// Prevent Thymeleaf injection (for the second pass)
-			.replace("{", "&#123;")
-			.replace("[", "&#91;")
-			.replace("$", "&#36;")
-			.replace("*", "&#42;")
-			.replace("#", "&#35;")
-			.replace("~", "&#126;")
+		var str = emailTemplateUtils.escape(this).replace("\n", "<br/>")
 
 		// Dumb heuristic to skip XML parsing for trivial cases, to improve performance.
 		if (contains('<') && contains('>')) {
@@ -123,7 +117,9 @@ class EmailMessageSource(
 					stack.add(m.group(2))
 
 					val ref = makeRef()
-					val replacement = "<div th:ref=\"$ref\" th:replace=\"~{::intl-${stack.joinToString("--")}(~{:: $ref/content})}\"><content th:remove=\"tag\">"
+					val replacement = "<div th:ref=\"$ref\" th:replace=\"~{::intl-${stack.joinToString(
+            "--"
+          )}(~{:: $ref/content})}\"><content th:remove=\"tag\">"
 					str = str.replaceRange(delta + m.start(), delta + m.end(), replacement)
 					delta += replacement.length - (m.end() - m.start())
 				} else {

backend/data/src/main/kotlin/io/tolgee/email/EmailService.kt

@@ -19,16 +19,19 @@ package io.tolgee.email
 import io.tolgee.configuration.tolgee.SmtpProperties
 import io.tolgee.dtos.misc.EmailAttachment
 import org.springframework.beans.factory.annotation.Qualifier
+import org.springframework.context.ApplicationContext
 import org.springframework.mail.javamail.JavaMailSender
 import org.springframework.mail.javamail.MimeMessageHelper
 import org.springframework.scheduling.annotation.Async
 import org.springframework.stereotype.Service
 import org.thymeleaf.TemplateEngine
 import org.thymeleaf.context.Context
+import org.thymeleaf.spring6.expression.ThymeleafEvaluationContext
 import java.util.*
 
 @Service
 class EmailService(
+	private val applicationContext: ApplicationContext,
   private val smtpProperties: SmtpProperties,
   private val mailSender: JavaMailSender,
 	private val emailGlobalVariablesProvider: EmailGlobalVariablesProvider,
@@ -50,15 +53,17 @@ class EmailService(
     properties: Map<String, Any> = mapOf(),
     attachments: List<EmailAttachment> = listOf(),
   ) {
-    val context = Context(locale, properties)
 		val globalVariables = emailGlobalVariablesProvider()
+		val context = Context(locale, properties)
 		context.setVariables(globalVariables)
 
+		// Required because we're outside of Spring MVC here
+		// Otherwise, bean resolution does not work for some reason
+		val tec = ThymeleafEvaluationContext(applicationContext, null)
+		context.setVariable(ThymeleafEvaluationContext.THYMELEAF_EVALUATION_CONTEXT_CONTEXT_VARIABLE_NAME, tec)
+
 		// Do two passes, so Thymeleaf expressions rendered by messages can get processed
-		context.setVariable("isSecondPass", false)
     val firstPass = templateEngine.process(template, context)
-
-		context.setVariable("isSecondPass", true)
 		val html = templateEngine.process(firstPass, context)
 
     val subject = extractEmailTitle(html)

backend/data/src/main/kotlin/io/tolgee/email/EmailTemplateConfig.kt

@@ -31,36 +31,41 @@ import java.util.*
 
 @Configuration
 class EmailTemplateConfig {
-  @Bean("emailTemplateResolver")
-  fun templateResolver(): ClassLoaderTemplateResolver {
-    val templateResolver = ClassLoaderTemplateResolver()
-    templateResolver.characterEncoding = "UTF-8"
-    templateResolver.prefix = "/email-templates/"
-    templateResolver.suffix = ".html"
-    return templateResolver
-  }
+	@Bean("emailTemplateResolver")
+	fun templateResolver(): ClassLoaderTemplateResolver {
+		val templateResolver = ClassLoaderTemplateResolver()
+		templateResolver.characterEncoding = "UTF-8"
+		templateResolver.prefix = "/email-templates/"
+		templateResolver.suffix = ".html"
+		return templateResolver
+	}
 
-  @Bean("emailMessageSource")
-  fun messageSource(): ICUMessageSource {
-    val messageSource = ICUReloadableResourceBundleMessageSource()
-    messageSource.setBasenames("email-i18n/messages", "email-i18n-test/messages")
-    messageSource.setDefaultEncoding("UTF-8")
-    messageSource.setDefaultLocale(Locale.ENGLISH)
-    return EmailMessageSource(messageSource)
-  }
+	@Bean("emailMessageSource")
+	fun messageSource(emailTemplateUtils: EmailTemplateUtils): ICUMessageSource {
+		val messageSource = ICUReloadableResourceBundleMessageSource()
+		messageSource.setBasenames("email-i18n/messages", "email-i18n-test/messages")
+		messageSource.setDefaultEncoding("UTF-8")
+		messageSource.setDefaultLocale(Locale.ENGLISH)
+		return EmailMessageSource(messageSource, emailTemplateUtils)
+	}
 
-  @Bean("emailTemplateEngine")
-  fun templateEngine(
-    @Qualifier("emailTemplateResolver") templateResolver: ITemplateResolver,
-    @Qualifier("emailMessageSource") messageSource: MessageSource,
-  ): TemplateEngine {
+	@Bean("emailTemplateEngine")
+	fun templateEngine(
+		@Qualifier("emailTemplateResolver") templateResolver: ITemplateResolver,
+		@Qualifier("emailMessageSource") messageSource: MessageSource,
+	): TemplateEngine {
 		val stringTemplateResolver = StringTemplateResolver()
 		stringTemplateResolver.resolvablePatternSpec.addPattern("<!DOCTYPE*")
 
-    val templateEngine = SpringTemplateEngine()
-    templateEngine.enableSpringELCompiler = true
-    templateEngine.templateResolvers = setOf(stringTemplateResolver, templateResolver)
-    templateEngine.setTemplateEngineMessageSource(messageSource)
-    return templateEngine
-  }
+		val templateEngine = SpringTemplateEngine()
+		templateEngine.enableSpringELCompiler = true
+		templateEngine.templateResolvers = setOf(stringTemplateResolver, templateResolver)
+		templateEngine.setTemplateEngineMessageSource(messageSource)
+		return templateEngine
+	}
+
+	@Bean("emailTemplateUtils")
+	fun emailTemplateUtils(): EmailTemplateUtils {
+		return EmailTemplateUtils()
+	}
 }

backend/data/src/main/kotlin/io/tolgee/email/EmailTemplateUtils.kt

@@ -0,0 +1,29 @@
+/**
+ * Copyright (C) 2025 Tolgee s.r.o. and contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.tolgee.email
+
+class EmailTemplateUtils {
+	fun escape(str: String): String {
+		// Prevent Thymeleaf injection (for the second pass)
+		return str.replace("{", "{")
+			.replace("[", "[")
+			.replace("$", "$")
+			.replace("*", "*")
+			.replace("#", "#")
+			.replace("~", "~")
+	}
+}

backend/data/src/test/kotlin/io/tolgee/email/EmailServiceTest.kt

@@ -118,11 +118,11 @@ class EmailServiceTest {
 
 		val email = emailCaptor.value
 		email.assertContents()
-			.contains("Plain test: <span>Name #1</span>")
+			.contains("Plain test: <span>Name &#35;1</span>")
 			.contains("<span>ICU test: Name &#35;1</span>")
-			.contains("Plain test: <span>Name #2</span>")
+			.contains("Plain test: <span>Name &#35;2</span>")
 			.contains("<span>ICU test: Name &#35;2</span>")
-			.contains("Plain test: <span>Name #3</span>")
+			.contains("Plain test: <span>Name &#35;3</span>")
 			.contains("<span>ICU test: Name &#35;3</span>")
 	}
 

email/components/Var.ts

@@ -23,19 +23,13 @@ type Props = {
 };
 
 export default function Var({ variable, demoValue, injectHtml }: Props) {
-  const attr = injectHtml ? 'th:utext' : 'th:text';
-
-  if (process.env.NODE_ENV === 'production') {
-    // This is rendered using the same two-pass trick used in translate.ts
-    // It's done to prevent this from being a potential vector of injection
-    return React.createElement('th:block', {
-      'th:utext': `'<span ${attr}="\${${variable}}"></span>'`,
-    });
-  }
-
   return React.createElement(
     'span',
-    { [injectHtml ? 'th:utext' : 'th:text']: `\${${variable}}` },
+    {
+      'th:utext': injectHtml
+        ? `\${${variable}}`
+        : `\${@emailTemplateUtils.escape(#strings.escapeXml(${variable}))}`,
+    },
     demoValue
   );
 }

email/components/translate.ts

@@ -122,7 +122,7 @@ function processMessageElements(
           React.cloneElement(
             demoParams[node.value](
               React.createElement('th:block', {
-                'th:utext': '\'<div th:replace="${_children}"></div>\'',
+                'th:utext': '\'<div th:replace="${_children} ?: ~{}"></div>\'',
               })
             ),
             { key: templateId }