Potential fix for code scanning alert no. 3: Client-side cross-site scripting

[Clic-stack]

Potential fix for https://github.com/Clic-stack/Auth-Mailer-API/security/code-scanning/3

In general, to fix this type of issue you must ensure that any untrusted data included in HTML content is either (a) properly sanitized as HTML, or (b) encoded for the specific context (element text, attribute, URL) before being inserted. Centralizing this in the email-sending layer is best, so all callers benefit automatically.

The best single change here is to sanitize the html passed into sendEmail using a well-known HTML sanitization library. The file already references isomorphic-dompurify in a comment, which is appropriate for server-side sanitization because it includes its own DOM implementation. We can import DOMPurify from isomorphic-dompurify, sanitize the incoming html before building mailOptions, and send the sanitized version instead. This preserves existing functionality (HTML emails still work and templates still interpolate user data) while removing dangerous tags/attributes. All current callers (sayHi, create, resetPasswordRequest) will then automatically send sanitized HTML.

Concretely:

• In email-api/src/mails/mailer.js:
  • Uncomment/replace the DOMPurify import line to actually import DOMPurify from isomorphic-dompurify.
  • Inside sendEmail, call DOMPurify.sanitize(html) to produce cleanHtml.
  • Use cleanHtml as the value for mailOptions.html instead of the raw html.
    No functional changes are required in emails.controller.js or users.controller.js, so we do not touch those files.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[netlify]

✅ Deploy Preview for auth-mailer-api canceled.

Name	Link
🔨 Latest commit	196a8fd
🔍 Latest deploy log	https://app.netlify.com/projects/auth-mailer-api/deploys/69cec03b9819f5000834d304