From e8c16763b7fe6c4d849cab286feb97686d9d856c Mon Sep 17 00:00:00 2001
From: gkhaavik <gkhaavik@gmail.com>
Date: Fri, 9 May 2025 12:56:40 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 2: Email content
 injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 internal/infrastructure/email/smtp_email_service.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/infrastructure/email/smtp_email_service.go b/internal/infrastructure/email/smtp_email_service.go
index e50b5b5..4a77326 100644
--- a/internal/infrastructure/email/smtp_email_service.go
+++ b/internal/infrastructure/email/smtp_email_service.go
@@ -65,13 +65,17 @@ func (s *SMTPEmailService) SendEmail(data service.EmailData) error {
 	}
 
 	// Format email message
+	// Sanitize email subject and body
+	sanitizedSubject := template.HTMLEscapeString(data.Subject)
+	sanitizedBody := template.HTMLEscapeString(body)
+
 	msg := []byte(fmt.Sprintf("From: %s <%s>\r\n"+
 		"To: %s\r\n"+
 		"Subject: %s\r\n"+
 		"MIME-Version: 1.0\r\n"+
 		"Content-Type: %s; charset=UTF-8\r\n"+
 		"\r\n"+
-		"%s", s.config.FromName, s.config.FromEmail, data.To, data.Subject, contentType, body))
+		"%s", s.config.FromName, s.config.FromEmail, data.To, sanitizedSubject, contentType, sanitizedBody))
 
 	// Send email
 	err = smtp.SendMail(