jonny-wg2
commented
1 year ago Awesome work as always @Prid13. Thanks for the write up - I believe this is accepted risks on the security side. We have the ability to revoke this endpoint if it's a problem later on.
It's finally done, and working π
All contact forms on the website have been tweaked to send a confirmation mail to the user that sent the message.
Example
1. Send message via Form on website
2. User receives confirmation mail
3. The mail:
Email template
Creating the actual email template is a real pain, unfortunately, since emails only allow basic HTML to be accepted. I used EngineMailer and modified a template a bit. The generated HTML was horrifying and unreadable, but I just copied and pasted it into our codebase and the email template is working.
For any modification, even to the email text, someone comfortable with HTML would be needed, OR, maybe a new email template would have to be created from scratch. Even then, someone with HTML/JS knowledge would be needed to actually insert the template into the code.
This is the template I ended up with (for inspiration):
Issues
CORS policy
For some reason Netlify function doesn't have a cors policy, so while fetching the request to the sendmail function will fail, the actual sending of the email will still be triggered on the netlify function endpoint, so this is a non-issue if the error doesn't show up in production π π
Error in dev environment:
Security concerns
The URL to the Netlify function for sending emails is open and anyone can mass "attack" it (DDoS) or maybe try and find a vulnerability in the code (not sure how secure URL params are π ). But I'm sure Netlify has its own guards in place for this, but something to keep in mind.