payloadcms

Files

Jessica Rynkar 9f1bff57c1 feat: exports new sanitizeUserDataForEmail function (#13029 )

### What?

Adds a new `sanitizeUserDataForEmail` function, exported from
`payload/shared`.
This function sanitizes user data passed to email templates to prevent
injection of HTML, executable code, or other malicious content.

### Why?

In the existing `email` example, we directly insert `user.name` into the
generated email content. Similarly, the `newsletter` collection uses
`doc.name` directly in the email content. A security report identified
this as a potential vulnerability that could be exploited and used to
inject executable or malicious code.

Although this issue does not originate from Payload core, developers
using our examples may unknowingly introduce this vulnerability into
their own codebases.

### How?

Introduces the pre-built `sanitizeUserDataForEmail` function and updates
relevant email examples to use it.

**Fixes `CMS2-1225-14`**

2025-07-08 12:47:34 +01:00

astro

feat(templates): added int and e2e tests to blank and website templates (#12866 )

2025-06-26 13:55:28 -04:00

auth

refactor: remove unused assets, move remaining assets out of payload packages (#12874 )

2025-06-23 23:23:44 +00:00

custom-components

feat!: bump minimum next version to 15.2.3 (#11823 )

2025-03-24 09:41:33 -04:00

custom-server

chore(examples): remove unused imports from custom server example (#12467 )