feat: apply markdown rendering to HITL email, sanitize email subject and body (#32305)

This PR: 1. Fixes the bug that email body of `HumanInput` node are sent as-is, without markdown rendering or sanitization 2. Applies HTML sanitization to email subject and body 3. Removes `\r` and `\n` from email subject to prevent SMTP header injection Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: QuantumGhost <obelisk.reg+git@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-03-21 06:18:27 +08:00 · 2026-03-16 16:52:46 +08:00
parent 4822d550b6
commit 57d476d4e2
8 changed files with 229 additions and 9 deletions
--- a/api/services/human_input_delivery_test_service.py
+++ b/api/services/human_input_delivery_test_service.py
@ -155,13 +155,15 @@ class EmailDeliveryTestHandler:
                context=context,
                recipient_email=recipient_email,
            )
-            subject = render_email_template(method.config.subject, substitutions)
+            subject_template = render_email_template(method.config.subject, substitutions)
+            subject = EmailDeliveryConfig.sanitize_subject(subject_template)
            templated_body = EmailDeliveryConfig.render_body_template(
                body=method.config.body,
                url=substitutions.get("form_link"),
                variable_pool=context.variable_pool,
            )
            body = render_email_template(templated_body, substitutions)
+            body = EmailDeliveryConfig.render_markdown_body(body)

            mail.send(
                to=recipient_email,