From 196a8fdb454495e2616d666a67902f385b19497d Mon Sep 17 00:00:00 2001
From: Clio Salgado <clioanahi@gmail.com>
Date: Thu, 2 Apr 2026 13:15:00 -0600
Subject: [PATCH] Potential fix for code scanning alert no. 3: Client-side
 cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 email-api/package.json        | 3 ++-
 email-api/src/mails/mailer.js | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/email-api/package.json b/email-api/package.json
index 5b18d49..7bca096 100644
--- a/email-api/package.json
+++ b/email-api/package.json
@@ -18,7 +18,8 @@
     "nodemailer": "^8.0.4",
     "pg": "^8.16.3",
     "pg-hstore": "^2.3.4",
-    "sequelize": "^6.37.7"
+    "sequelize": "^6.37.7",
+    "isomorphic-dompurify": "^3.7.1"
   },
   "devDependencies": {
     "@swc/jest": "^0.2.39",
diff --git a/email-api/src/mails/mailer.js b/email-api/src/mails/mailer.js
index 363efcb..93c48be 100644
--- a/email-api/src/mails/mailer.js
+++ b/email-api/src/mails/mailer.js
@@ -1,6 +1,6 @@
 import nodemailer from 'nodemailer' // Se cambia la librería
 import { env } from '../config/env.js'
-//import DOMPurify from 'isomorphic-dompurify'; // Esta librería ya trae su propio DOM interno
+import DOMPurify from 'isomorphic-dompurify'; // Esta librería ya trae su propio DOM interno
 
 const transporter = nodemailer.createTransport({
   host: "smtp.gmail.com",
@@ -17,13 +17,13 @@ const transporter = nodemailer.createTransport({
 
 export const sendEmail = async ({ to, subject, html }) => {
   // Ahora DOMPurify funciona directamente sin configurar nada más
-  //const cleanHtml = DOMPurify.sanitize(html);
+  const cleanHtml = DOMPurify.sanitize(html);
 
   const mailOptions = {
     from: env.EMAIL,
     to,
     subject,
-    html //: cleanHtml // Usamos la versión limpia
+    html: cleanHtml // Usamos la versión limpia
   }
 
   try {