fix(review): escape email templates, drop invalid JSON-LD, document partial-failure policy

NiallJoeMaher · claude · NiallJoeMaher · commit c1044bccad84 · 2026-04-21T13:15:30.000+01:00
Addresses the code review on PR #1330: - Critical: email templates were interpolating user-submitted strings directly into HTML, leaking an XSS surface to the admin inbox. Added utils/escapeHtml.ts with escapeHtml() + sanitizeHref() (rejects non- http(s)/mailto URIs in href attributes) and wrapped every interpolation in the volunteer, speaker, AND sponsor templates. The sponsor template fix is pre-existing-bug cleanup included in the same pass per review. - Medium: the JobPosting JSON-LD on /volunteer and /speakers violated Google's rich-results guidelines (JobPosting is for paid employment, was missing baseSalary and validThrough, and combined jobLocation with TELECOMMUTE jobLocationType). Risk of "Deceptive structured data" manual penalty. Removed both. Page-level metadata (title, description, OG, Twitter) is kept; the site-wide Organization JSON-LD from the app layout already covers brand-level structured data. - High: documented the Promise.allSettled partial-failure policy in both routers — if one channel fails we still return success to the user and rely on Sentry + console.error to flag the gap; only both failing errors out. Previously implicit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/app/(app)/speakers/page.tsx b/app/(app)/speakers/page.tsx
@@ -1,5 +1,4 @@
 import type { Metadata } from "next";
-import { JsonLd } from "@/components/JsonLd";
 import { SpeakersClient } from "./_client";
 
 const PAGE_URL = "https://www.codu.co/speakers";
@@ -33,37 +32,6 @@ export const metadata: Metadata = {
   },
 };
 
-const speakerJsonLd = {
-  "@context": "https://schema.org",
-  "@type": "JobPosting",
-  title: "Speaker — Codú Meetups",
-  description: PAGE_DESCRIPTION,
-  employmentType: "VOLUNTEER",
-  hiringOrganization: {
-    "@type": "Organization",
-    name: "Codú",
-    sameAs: "https://www.codu.co",
-    logo: "https://www.codu.co/images/codu-logo.png",
-  },
-  jobLocation: {
-    "@type": "Place",
-    address: {
-      "@type": "PostalAddress",
-      addressLocality: "Dublin",
-      addressCountry: "IE",
-    },
-  },
-  applicantLocationRequirements: { "@type": "Country", name: "Worldwide" },
-  jobLocationType: "TELECOMMUTE",
-  datePosted: new Date().toISOString().split("T")[0],
-  url: PAGE_URL,
-};
-
 export default function SpeakersPage() {
-  return (
-    <>
-      <JsonLd data={speakerJsonLd} />
-      <SpeakersClient />
-    </>
-  );
+  return <SpeakersClient />;
 }
diff --git a/app/(app)/volunteer/page.tsx b/app/(app)/volunteer/page.tsx
@@ -1,5 +1,4 @@
 import type { Metadata } from "next";
-import { JsonLd } from "@/components/JsonLd";
 import { VolunteerClient } from "./_client";
 
 const PAGE_URL = "https://www.codu.co/volunteer";
@@ -34,36 +33,6 @@ export const metadata: Metadata = {
   },
 };
 
-const volunteerJsonLd = {
-  "@context": "https://schema.org",
-  "@type": "JobPosting",
-  title: "Volunteer — Marketing & Events",
-  description: PAGE_DESCRIPTION,
-  employmentType: "VOLUNTEER",
-  hiringOrganization: {
-    "@type": "Organization",
-    name: "Codú",
-    sameAs: "https://www.codu.co",
-    logo: "https://www.codu.co/images/codu-logo.png",
-  },
-  jobLocation: {
-    "@type": "Place",
-    address: {
-      "@type": "PostalAddress",
-      addressCountry: "IE",
-    },
-  },
-  applicantLocationRequirements: { "@type": "Country", name: "Worldwide" },
-  jobLocationType: "TELECOMMUTE",
-  datePosted: new Date().toISOString().split("T")[0],
-  url: PAGE_URL,
-};
-
 export default function VolunteerPage() {
-  return (
-    <>
-      <JsonLd data={volunteerJsonLd} />
-      <VolunteerClient />
-    </>
-  );
+  return <VolunteerClient />;
 }
diff --git a/server/api/router/speaker.ts b/server/api/router/speaker.ts
@@ -74,6 +74,8 @@ export const speakerRouter = createTRPCRouter({
         return [t?.title ?? "", t?.lengthLabel ?? "", t?.abstract ?? ""];
       };
 
+      // Partial-failure policy: see volunteer.ts for the same pattern. If one
+      // channel fails we still return success; only both failing errors out.
       const [sheetResult, emailResult] = await Promise.allSettled([
         appendRowToSubmissionsSheet({
           tab: SPEAKER_SHEET_TAB,
diff --git a/server/api/router/volunteer.ts b/server/api/router/volunteer.ts
@@ -61,6 +61,11 @@ export const volunteerRouter = createTRPCRouter({
 
       const adminEmail = process.env.ADMIN_EMAIL || "hi@codu.co";
 
+      // Partial-failure policy: run both side effects in parallel. If exactly
+      // one fails, we still return success to the user (the other channel
+      // carries the signal) and rely on Sentry + console to flag the gap.
+      // Only if BOTH fail do we error out so the user can retry. Low-volume
+      // form — duplicate retries are cheaper than lost submissions.
       const [sheetResult, emailResult] = await Promise.allSettled([
         appendRowToSubmissionsSheet({
           tab: VOLUNTEER_SHEET_TAB,
diff --git a/utils/createSpeakerApplicationEmailTemplate.ts b/utils/createSpeakerApplicationEmailTemplate.ts
@@ -1,3 +1,5 @@
+import { escapeHtml, sanitizeHref } from "./escapeHtml";
+
 type TalkDetails = {
   title: string;
   lengthLabel: string;
@@ -18,26 +20,40 @@ type SpeakerApplicationDetails = {
 };
 
 const sectionBlock = (title: string, body: string) => `
-      <h2 style="color: #171717; font-size: 16px; margin: 24px 0 12px 0; padding-bottom: 8px; border-bottom: 2px solid #e5e5e5;">${title}</h2>
+      <h2 style="color: #171717; font-size: 16px; margin: 24px 0 12px 0; padding-bottom: 8px; border-bottom: 2px solid #e5e5e5;">${escapeHtml(title)}</h2>
       <div style="margin-bottom: 16px; padding: 16px; background: #fafafa; border-radius: 8px; border-left: 4px solid #db2777;">
-        <p style="margin: 0; color: #404040; white-space: pre-wrap; line-height: 1.6;">${body}</p>
+        <p style="margin: 0; color: #404040; white-space: pre-wrap; line-height: 1.6;">${escapeHtml(body)}</p>
       </div>
 `;
 
 const talkBlock = (talk: TalkDetails, idx: number) => `
       <div style="margin-bottom: 20px; padding: 18px; background: #fafafa; border-radius: 10px; border: 1px solid #e5e5e5;">
         <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 8px;">
           <span style="font-size: 11px; text-transform: uppercase; letter-spacing: 0.5px; color: #737373;">Talk ${idx + 1}</span>
-          <span style="display: inline-block; background: linear-gradient(to right, #fb923c, #db2777); color: white; padding: 4px 10px; border-radius: 9999px; font-size: 11px;">${talk.lengthLabel}</span>
+          <span style="display: inline-block; background: linear-gradient(to right, #fb923c, #db2777); color: white; padding: 4px 10px; border-radius: 9999px; font-size: 11px;">${escapeHtml(talk.lengthLabel)}</span>
         </div>
-        <h3 style="margin: 0 0 8px 0; font-size: 16px; color: #171717;">${talk.title}</h3>
-        <p style="margin: 0; color: #404040; white-space: pre-wrap; line-height: 1.6; font-size: 14px;">${talk.abstract}</p>
+        <h3 style="margin: 0 0 8px 0; font-size: 16px; color: #171717;">${escapeHtml(talk.title)}</h3>
+        <p style="margin: 0; color: #404040; white-space: pre-wrap; line-height: 1.6; font-size: 14px;">${escapeHtml(talk.abstract)}</p>
       </div>
 `;
 
 export const createSpeakerApplicationEmailTemplate = (
   details: SpeakerApplicationDetails,
-) => `
+) => {
+  const name = escapeHtml(details.name);
+  const email = escapeHtml(details.email);
+  const emailHref = sanitizeHref(`mailto:${details.email}`);
+  const location = escapeHtml(details.location);
+  const formatLabel = escapeHtml(details.formatLabel);
+  const experienceLabel = escapeHtml(details.experienceLabel);
+  const submittedAt = escapeHtml(details.submittedAt);
+  const linkHref = sanitizeHref(details.link);
+  const linkText = escapeHtml(details.link);
+  const replyHref = sanitizeHref(
+    `mailto:${details.email}?subject=Re: Codú Speaker Pitch`,
+  );
+
+  return `
 <!DOCTYPE html>
 <html>
 <head>
@@ -56,36 +72,36 @@ export const createSpeakerApplicationEmailTemplate = (
       <table style="width: 100%; border-collapse: collapse; margin-bottom: 8px;">
         <tr>
           <td style="padding: 8px 0; color: #525252; width: 120px;">Name</td>
-          <td style="padding: 8px 0; font-weight: 600;">${details.name}</td>
+          <td style="padding: 8px 0; font-weight: 600;">${name}</td>
         </tr>
         <tr>
           <td style="padding: 8px 0; color: #525252;">Email</td>
-          <td style="padding: 8px 0;"><a href="mailto:${details.email}" style="color: #db2777; text-decoration: none; font-weight: 600;">${details.email}</a></td>
+          <td style="padding: 8px 0;"><a href="${emailHref}" style="color: #db2777; text-decoration: none; font-weight: 600;">${email}</a></td>
         </tr>
         <tr>
           <td style="padding: 8px 0; color: #525252;">Location</td>
-          <td style="padding: 8px 0;">${details.location}</td>
+          <td style="padding: 8px 0;">${location}</td>
         </tr>
         <tr>
           <td style="padding: 8px 0; color: #525252;">Format</td>
-          <td style="padding: 8px 0;">${details.formatLabel}</td>
+          <td style="padding: 8px 0;">${formatLabel}</td>
         </tr>
         ${
           details.experienceLabel
             ? `
         <tr>
           <td style="padding: 8px 0; color: #525252;">Experience</td>
-          <td style="padding: 8px 0;">${details.experienceLabel}</td>
+          <td style="padding: 8px 0;">${experienceLabel}</td>
         </tr>
         `
             : ""
         }
         ${
-          details.link
+          linkHref
             ? `
         <tr>
           <td style="padding: 8px 0; color: #525252;">Link</td>
-          <td style="padding: 8px 0;"><a href="${details.link}" style="color: #db2777; text-decoration: none;">${details.link}</a></td>
+          <td style="padding: 8px 0;"><a href="${linkHref}" style="color: #db2777; text-decoration: none;">${linkText}</a></td>
         </tr>
         `
             : ""
@@ -99,12 +115,12 @@ export const createSpeakerApplicationEmailTemplate = (
 
       ${details.other ? sectionBlock("Anything else", details.other) : ""}
 
-      <p style="color: #a3a3a3; font-size: 12px; margin: 24px 0 0 0;">Submitted: ${details.submittedAt}</p>
+      <p style="color: #a3a3a3; font-size: 12px; margin: 24px 0 0 0;">Submitted: ${submittedAt}</p>
 
       <div style="margin-top: 24px; padding-top: 20px; border-top: 1px solid #e5e5e5; text-align: center;">
-        <a href="mailto:${details.email}?subject=Re: Codú Speaker Pitch"
+        <a href="${replyHref}"
            style="display: inline-block; background: linear-gradient(to right, #fb923c, #db2777); color: white; padding: 14px 28px; border-radius: 8px; text-decoration: none; font-weight: 600;">
-          Reply to ${details.name}
+          Reply to ${name}
         </a>
       </div>
     </div>
@@ -116,3 +132,4 @@ export const createSpeakerApplicationEmailTemplate = (
 </body>
 </html>
 `;
+};
diff --git a/utils/createSponsorInquiryEmailTemplate.ts b/utils/createSponsorInquiryEmailTemplate.ts
@@ -1,3 +1,5 @@
+import { escapeHtml, sanitizeHref } from "./escapeHtml";
+
 type SponsorInquiryDetails = {
   name: string;
   email: string;
@@ -11,7 +13,20 @@ type SponsorInquiryDetails = {
 
 export const createSponsorInquiryEmailTemplate = (
   details: SponsorInquiryDetails,
-) => `
+) => {
+  const name = escapeHtml(details.name);
+  const email = escapeHtml(details.email);
+  const emailHref = sanitizeHref(`mailto:${details.email}`);
+  const company = escapeHtml(details.company);
+  const phone = escapeHtml(details.phone);
+  const budgetRange = escapeHtml(details.budgetRange);
+  const goals = escapeHtml(details.goals);
+  const submittedAt = escapeHtml(details.submittedAt);
+  const replyHref = sanitizeHref(
+    `mailto:${details.email}?subject=Re: Codu Advertising Inquiry`,
+  );
+
+  return `
 <!DOCTYPE html>
 <html>
 <head>
@@ -31,18 +46,18 @@ export const createSponsorInquiryEmailTemplate = (
       <table style="width: 100%; border-collapse: collapse; margin-bottom: 24px;">
         <tr>
           <td style="padding: 8px 0; color: #525252; width: 120px;">Name</td>
-          <td style="padding: 8px 0; font-weight: 600;">${details.name}</td>
+          <td style="padding: 8px 0; font-weight: 600;">${name}</td>
         </tr>
         <tr>
           <td style="padding: 8px 0; color: #525252;">Email</td>
-          <td style="padding: 8px 0;"><a href="mailto:${details.email}" style="color: #db2777; text-decoration: none; font-weight: 600;">${details.email}</a></td>
+          <td style="padding: 8px 0;"><a href="${emailHref}" style="color: #db2777; text-decoration: none; font-weight: 600;">${email}</a></td>
         </tr>
         ${
           details.company
             ? `
         <tr>
           <td style="padding: 8px 0; color: #525252;">Company</td>
-          <td style="padding: 8px 0; font-weight: 600;">${details.company}</td>
+          <td style="padding: 8px 0; font-weight: 600;">${company}</td>
         </tr>
         `
             : ""
@@ -51,7 +66,7 @@ export const createSponsorInquiryEmailTemplate = (
             ? `
         <tr>
           <td style="padding: 8px 0; color: #525252;">Phone</td>
-          <td style="padding: 8px 0;">${details.phone}</td>
+          <td style="padding: 8px 0;">${phone}</td>
         </tr>
         `
             : ""
@@ -64,35 +79,35 @@ export const createSponsorInquiryEmailTemplate = (
         ${details.interests
           .map(
             (interest) =>
-              `<span style="display: inline-block; background: linear-gradient(to right, #fb923c, #db2777); color: white; padding: 6px 14px; border-radius: 9999px; font-size: 13px; margin: 4px 4px 4px 0;">${interest}</span>`,
+              `<span style="display: inline-block; background: linear-gradient(to right, #fb923c, #db2777); color: white; padding: 6px 14px; border-radius: 9999px; font-size: 13px; margin: 4px 4px 4px 0;">${escapeHtml(interest)}</span>`,
           )
           .join("")}
       </div>
 
       <!-- Budget -->
       <h2 style="color: #171717; font-size: 16px; margin: 0 0 16px 0; padding-bottom: 8px; border-bottom: 2px solid #e5e5e5;">Budget Range</h2>
-      <p style="margin: 0 0 24px 0; font-size: 18px; font-weight: 600; color: #171717;">${details.budgetRange}</p>
+      <p style="margin: 0 0 24px 0; font-size: 18px; font-weight: 600; color: #171717;">${budgetRange}</p>
 
       <!-- Goals -->
       ${
         details.goals
           ? `
       <h2 style="color: #171717; font-size: 16px; margin: 0 0 16px 0; padding-bottom: 8px; border-bottom: 2px solid #e5e5e5;">Goals & Requirements</h2>
       <div style="margin-bottom: 24px; padding: 16px; background: #fafafa; border-radius: 8px; border-left: 4px solid #db2777;">
-        <p style="margin: 0; color: #404040; white-space: pre-wrap; line-height: 1.6;">${details.goals}</p>
+        <p style="margin: 0; color: #404040; white-space: pre-wrap; line-height: 1.6;">${goals}</p>
       </div>
       `
           : ""
       }
 
       <!-- Timestamp -->
-      <p style="color: #a3a3a3; font-size: 12px; margin: 0;">Submitted: ${details.submittedAt}</p>
+      <p style="color: #a3a3a3; font-size: 12px; margin: 0;">Submitted: ${submittedAt}</p>
 
       <!-- CTA -->
       <div style="margin-top: 24px; padding-top: 20px; border-top: 1px solid #e5e5e5; text-align: center;">
-        <a href="mailto:${details.email}?subject=Re: Codu Advertising Inquiry"
+        <a href="${replyHref}"
            style="display: inline-block; background: linear-gradient(to right, #fb923c, #db2777); color: white; padding: 14px 28px; border-radius: 8px; text-decoration: none; font-weight: 600;">
-          Reply to ${details.name}
+          Reply to ${name}
         </a>
       </div>
     </div>
@@ -104,3 +119,4 @@ export const createSponsorInquiryEmailTemplate = (
 </body>
 </html>
 `;
+};
diff --git a/utils/createVolunteerApplicationEmailTemplate.ts b/utils/createVolunteerApplicationEmailTemplate.ts
diff --git a/utils/escapeHtml.ts b/utils/escapeHtml.ts
