[core] improve countly user password change experience

waiterZen · waiterZen · commit 0bbdf237ac6f · 2019-09-17T16:23:41.000+08:00
diff --git a/api/parts/mgmt/mail.js b/api/parts/mgmt/mail.js
@@ -98,16 +98,26 @@ mail.sendLocalizedMessage = function(lang, to, subject, message, callback) {
     });
 };
 
+/**
+ * encode string to escape html code
+ * @param {string} s inputed string
+ * @return {string} newString new string escaped html code
+ */
+mail.escapedHTMLString = function(s) {
+    const newString = s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+    return newString;
+}
 /**
 * Email to send to new members
 * @param {object} member - member document
 * @param {string} memberPassword - OTP for member to authorize
 **/
 mail.sendToNewMember = function(member, memberPassword) {
     member.lang = member.lang || "en";
+    const password = mail.escapedHTMLString(memberPassword);
     mail.lookup(function(err, host) {
         localize.getProperties(member.lang, function(err2, properties) {
-            var message = localize.format(properties["mail.new-member"], mail.getUserFirstName(member), host, member.username, memberPassword);
+            var message = localize.format(properties["mail.new-member"], mail.getUserFirstName(member), host, member.username, password);
             mail.sendMessage(member.email, properties["mail.new-member-subject"], message);
         });
     });
@@ -120,9 +130,10 @@ mail.sendToNewMember = function(member, memberPassword) {
 **/
 mail.sendToUpdatedMember = function(member, memberPassword) {
     member.lang = member.lang || "en";
+    const password = mail.escapedHTMLString(memberPassword);
     mail.lookup(function(err, host) {
         localize.getProperties(member.lang, function(err2, properties) {
-            var message = localize.format(properties["mail.password-change"], mail.getUserFirstName(member), host, member.username, memberPassword);
+            var message = localize.format(properties["mail.password-change"], mail.getUserFirstName(member), host, member.username, password);
             mail.sendMessage(member.email, properties["mail.password-change-subject"], message);
         });
     });
diff --git a/extend/aws_ses.example.js b/extend/aws_ses.example.js
@@ -46,21 +46,30 @@ module.exports = function(mail) {
         }, callback);
     };
 
+    mail.escapedHTMLString = function(s) {
+        const newString = s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+        return newString;
+    };
+
     mail.sendToNewMember = function(member, memberPassword) {
+        const password = mail.escapedHTMLString(memberPassword);
+
         mail.lookup(function(err, host) {
             mail.sendMessage(member.email, "Your " + company + " Account",
                 "Hi " + mail.getUserFirstName(member) + ",<br/><br/>\n" +
                 "Your " + company + " account on <a href='" + host + "'>" + host + "</a> is created with the following details;<br/><br/>\n" +
-                "Username: " + member.username + "<br/>Password: " + memberPassword + "<br/><br/>\n" +
+                "Username: " + member.username + "<br/>Password: " + password + "<br/><br/>\n" +
                 "Enjoy,<br/>A fellow " + company + " Admin");
         });
     };
 
     mail.sendToUpdatedMember = function(member, memberPassword) {
+        const password = mail.escapedHTMLString(memberPassword);
+
         mail.lookup(function(err, host) {
             mail.sendMessage(member.email, "" + company + " Account - Password Change", "Hi " + mail.getUserFirstName(member) + ",<br/><br/>\n" +
             "Your password for your " + company + " account on <a href='" + host + "'>" + host + "</a> has been changed. Below you can find your updated account details;<br/><br/>\n" +
-            "Username: " + member.username + "<br/>Password: " + memberPassword + "<br/><br/>\n" +
+            "Username: " + member.username + "<br/>Password: " + password + "<br/><br/>\n" +
             "Best,<br/>A fellow " + company + " Admin");
         });
     };
diff --git a/extend/mail.example.js b/extend/mail.example.js
@@ -41,21 +41,30 @@ module.exports = function(mail) {
         }, callback);
     };
 
+    mail.escapedHTMLString = function(s) {
+        const newString = s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+        return newString;
+    };
+
     mail.sendToNewMember = function(member, memberPassword) {
+        const password = mail.escapedHTMLString(memberPassword);
+
         mail.lookup(function(err, host) {
             mail.sendMessage(member.email, "Your " + company + " Account",
                 "Hi " + mail.getUserFirstName(member) + ",<br/><br/>\n" +
                 "Your " + company + " account on <a href='" + host + "'>" + host + "</a> is created with the following details;<br/><br/>\n" +
-                "Username: " + member.username + "<br/>Password: " + memberPassword + "<br/><br/>\n" +
+                "Username: " + member.username + "<br/>Password: " + password + "<br/><br/>\n" +
                 "Enjoy,<br/>A fellow " + company + " Admin");
         });
     };
 
     mail.sendToUpdatedMember = function(member, memberPassword) {
+        const password = mail.escapedHTMLString(memberPassword);
+
         mail.lookup(function(err, host) {
             mail.sendMessage(member.email, "" + company + " Account - Password Change", "Hi " + mail.getUserFirstName(member) + ",<br/><br/>\n" +
             "Your password for your " + company + " account on <a href='" + host + "'>" + host + "</a> has been changed. Below you can find your updated account details;<br/><br/>\n" +
-            "Username: " + member.username + "<br/>Password: " + memberPassword + "<br/><br/>\n" +
+            "Username: " + member.username + "<br/>Password: " + password + "<br/><br/>\n" +
             "Best,<br/>A fellow " + company + " Admin");
         });
     };
