Skip to content

🐛 Fixed silent importer failures and non-error rejections #27651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
envsecure wants to merge 4 commits into
base: main
Choose a base branch
from
+17 −12
Open

🐛 Fixed silent importer failures and non-error rejections #27651

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
03d1313
🐛 Fixed non-error rejection in DataImporter
envsecure May 2, 2026
143bd65
✨ Included error message in import completion email
envsecure May 2, 2026
e641460
♻️ Restored original HTML structure to email template and included er…
envsecure May 2, 2026
9840570
🛡️ Hardened error handling in email template
envsecure May 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions ghost/core/core/server/data/importer/email-template.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ module.exports = ({result, siteUrl, postsUrl, emailRecipient}) => `
}
table[class=body] p[class=small],
table[class=body] a[class=small] {
font-size: 12x !important;
font-size: 12px !important;
}
}
/* -------------------------------------
Expand Down Expand Up @@ -122,27 +122,30 @@ module.exports = ({result, siteUrl, postsUrl, emailRecipient}) => `
</tr>
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; vertical-align: top;">
<p class="title" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 21px; color: #3A464C; font-weight: normal; line-height: 25px; margin-bottom: 30px; margin-top: 50px; font-weight: 600; color: #15212A;">${result?.data?.errors ? 'Import unsuccessful' : 'Your content import has finished successfully'}</p>
<p class="title" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 21px; color: #3A464C; font-weight: normal; line-height: 25px; margin-bottom: 30px; margin-top: 50px; font-weight: 600; color: #15212A;">\${result?.data?.errors ? 'Import unsuccessful' : 'Your content import has finished successfully'}</p>
</td>
</tr>
${result?.data?.errors ? `
\${result?.data?.errors ? \`
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top; padding-bottom: 16px;">One or more error occured while importing your content. Please contact support or report on the <a href="https://forum.ghost.org/">Ghost Community Forum</a>.</td>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top; padding-bottom: 16px;">
The following error occurred while importing your content: <strong>\${result.data.errors[0].message}</strong>.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

errors[0].message is interpolated into HTML without escaping — HTML injection risk.

Ghost validation errors can include the offending field value in their message text (e.g., "Value '<script>…</script>' is too long"). Inserting that string verbatim as <strong>…</strong> inner HTML means any HTML-special characters in the message text are interpreted by the email client as markup — at minimum corrupting the email layout, at worst injecting arbitrary HTML elements when an import file is crafted with a malicious field value.

🛡️ Proposed fix — add an inline escape helper 
+const escapeHtml = str => String(str)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#x27;');
+
 module.exports = ({result, siteUrl, postsUrl, emailRecipient}) => `

Then on the interpolation line:

-                        The following error occurred while importing your content: <strong>\${result.data.errors[0].message}</strong>. 
+                        The following error occurred while importing your content: <strong>\${escapeHtml(result.data.errors[0].message)}</strong>.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
The following error occurred while importing your content: <strong>\${result.data.errors[0].message}</strong>.
const escapeHtml = str => String(str)
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#x27;');
module.exports = ({result, siteUrl, postsUrl, emailRecipient}) => `
...
The following error occurred while importing your content: <strong>${escapeHtml(result.data.errors[0].message)}</strong>.
...
`
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ghost/core/core/server/data/importer/email-template.js` at line 131, The
template injects result.data.errors[0].message directly into HTML which allows
HTML injection; fix it by escaping HTML-special characters before interpolation:
add or reuse an HTML-escape helper (e.g., escapeHtml) and call it when rendering
the error message in the email template (replace the direct use of
result.data.errors[0].message with escapeHtml(result.data.errors[0].message)),
ensuring the helper is imported/defined alongside the email template renderer so
all <, >, &, ", ' characters are converted to entities.

Please contact support or report on the <a href="https://forum.ghost.org/">Ghost Community Forum</a>.
</td>
</tr>
` : `
\` : \`
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top; padding-bottom: 12px; padding-top: 16px;">
<a href="${postsUrl.href}" target="_blank" style="display: inline-block; color: #ffffff; background-color: #15212A; border: solid 1px #15212A; border-radius: 5px; box-sizing: border-box; cursor: pointer; text-decoration: none; font-size: 16px; font-weight: normal; margin: 0; padding: 9px 22px 10px; border-color: #15212A;">View posts</a>
<a href="\${postsUrl.href}" target="_blank" style="display: inline-block; color: #ffffff; background-color: #15212A; border: solid 1px #15212A; border-radius: 5px; box-sizing: border-box; cursor: pointer; text-decoration: none; font-size: 16px; font-weight: normal; margin: 0; padding: 9px 22px 10px; border-color: #15212A;">View posts</a>
</td>
</tr>
`}
\`}
</table>
</td>
</tr>
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; vertical-align: top; padding-top: 80px; padding-bottom: 10px;">
<div class="footer">
<p class="small" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; color: #738A94; font-weight: normal; margin: 0; line-height: 18px; margin-bottom: 0px; font-size: 11px;">This email was sent from <a href="${siteUrl.href}" style="color: #738A94;">${siteUrl.host}</a> to <a href="mailto:${emailRecipient}" style="color: #738A94;">${emailRecipient}</a></p>
<p class="small" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; color: #738A94; font-weight: normal; margin: 0; line-height: 18px; margin-bottom: 0px; font-size: 11px;">This email was sent from <a href="\${siteUrl.href}" style="color: #738A94;">\${siteUrl.host}</a> to <a href="mailto:\${emailRecipient}" style="color: #738A94;">\${emailRecipient}</a></p>
</div>
</td>
</tr>
Expand All @@ -159,5 +162,4 @@ module.exports = ({result, siteUrl, postsUrl, emailRecipient}) => `
</table>
</body>
</html>
`;

\`;
3 changes: 2 additions & 1 deletion ghost/core/core/server/data/importer/importers/data/data-importer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@ DataImporter = {
// Errors preventing import:
if (errors.length > 0) {
debug(errors);
throw errors;
// Rejections should always be with an Error object, not an array
throw errors[0];
}

return {
Expand Down