Merge pull request #793 from bcgov/yj

Yj

Author: ychung-mot

server/StrDss.Common/CommonUtils.cs

@@ -1,4 +1,6 @@
-using System.IO.Compression;
+using Ganss.Xss;
+using System.Collections;
+using System.IO.Compression;
 using System.Reflection;
 using System.Text.RegularExpressions;
 
@@ -95,5 +97,64 @@ public static bool IsValidEmailAddress(string email)
 
             return true;
         }
+
+        private static readonly HtmlSanitizer _sanitizer = new HtmlSanitizer();
+
+        public static void SanitizeObject<T>(T input)
+        {
+            if (input == null) return;
+
+            // Handle if the input is a list or collection
+            if (input is IEnumerable collection && input.GetType() != typeof(string))
+            {
+                foreach (var item in collection)
+                {
+                    if (item != null && item.GetType().IsClass)
+                    {
+                        SanitizeObject(item);
+                    }
+                }
+                return;
+            }
+
+            Type type = input.GetType();
+            foreach (PropertyInfo property in type.GetProperties())
+            {
+                if (property.PropertyType == typeof(string) && property.CanWrite)
+                {
+                    string? value = property.GetValue(input) as string;
+                    if (!string.IsNullOrEmpty(value))
+                    {
+                        // Sanitize the string property
+                        string sanitizedValue = _sanitizer.Sanitize(value);
+                        property.SetValue(input, sanitizedValue);
+                    }
+                }
+                else if (property.PropertyType.IsClass && property.PropertyType != typeof(string))
+                {
+                    // Recursively sanitize nested objects
+                    object? nestedObject = property.GetValue(input);
+                    if (nestedObject != null)
+                    {
+                        SanitizeObject(nestedObject);
+                    }
+                }
+                else if (typeof(IEnumerable).IsAssignableFrom(property.PropertyType) && property.CanWrite)
+                {
+                    // Sanitize elements in collections (lists, arrays, etc.)
+                    IEnumerable? nestedCollection = property.GetValue(input) as IEnumerable;
+                    if (nestedCollection != null)
+                    {
+                        foreach (var item in nestedCollection)
+                        {
+                            if (item != null && item.GetType().IsClass)
+                            {
+                                SanitizeObject(item);
+                            }
+                        }
+                    }
+                }
+            }
+        }
     }
 }

server/StrDss.Common/Constants.cs

@@ -6,6 +6,7 @@ public class Constants
         public static DateTime MinDate = new DateTime(1900, 1, 1);
         public const string VancouverTimeZone = "America/Vancouver";
         public const string PacificTimeZone = "Pacific Standard Time";
+        public const string StandardTakedownDetail = "Remove the listing from the platform, do not allow transactions for payments associated with the listing, and cancel all booking associated with the listing.";
     }
     public static class Entities
     {

server/StrDss.Common/StrDss.Common.csproj

@@ -7,6 +7,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
+		<PackageReference Include="HtmlSanitizer" Version="8.1.870" />
 		<PackageReference Include="System.Linq.Dynamic.Core" Version="1.3.7" />
 		<PackageReference Include="System.IO.Compression" Version="4.3.0" />
 		<PackageReference Include="System.IO.Compression.ZipFile" Version="4.3.0" />

server/StrDss.Service/DelistingService.cs

@@ -1,4 +1,5 @@
 using AutoMapper;
+using Ganss.Xss;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
@@ -55,6 +56,8 @@ public DelistingService(ICurrentUser currentUser, IFieldValidatorService validat
 
         public async Task<Dictionary<string, List<string>>> CreateTakedownNoticeAsync(TakedownNoticeCreateDto dto)
         {
+            CommonUtils.SanitizeObject(dto);
+
             var platform = await _orgService.GetOrganizationByIdAsync(dto.PlatformId);
             var lg = await _orgService.GetOrganizationByIdAsync(_currentUser.OrganizationId);
 
@@ -203,6 +206,8 @@ private async Task SendTakedownNoticeAsync(TakedownNoticeCreateDto dto, Organiza
         }
         public async Task<(Dictionary<string, List<string>> errors, EmailPreview preview)> GetTakedownNoticePreviewAsync(TakedownNoticeCreateDto dto)
         {
+            CommonUtils.SanitizeObject(dto);
+
             var platform = await _orgService.GetOrganizationByIdAsync(dto.PlatformId);
             var lg = await _orgService.GetOrganizationByIdAsync(_currentUser.OrganizationId);
 
@@ -250,6 +255,8 @@ private TakedownNotice GetTakedownNoticeTemplate(TakedownNoticeCreateDto dto, Or
 
         public async Task<Dictionary<string, List<string>>> CreateTakedownNoticesFromListingAsync(TakedownNoticesFromListingDto[] listings)
         {
+            CommonUtils.SanitizeObject(listings);
+
             var errors = new Dictionary<string, List<string>>();
             var emailRegex = RegexDefs.GetRegexInfo(RegexDefs.Email);
             var templates = new List<TakedownNoticeFromListing>();
@@ -392,6 +399,8 @@ private async Task SendTakedownNoticeEmailFromListingAsync(TakedownNoticesFromLi
 
         public async Task<(Dictionary<string, List<string>> errors, EmailPreview preview)> GetTakedownNoticesFromListingPreviewAsync(TakedownNoticesFromListingDto[] listings)
         {
+            CommonUtils.SanitizeObject(listings);
+
             var errors = new Dictionary<string, List<string>>();
             var emailRegex = RegexDefs.GetRegexInfo(RegexDefs.Email);
             var templates = new List<TakedownNoticeFromListing>();
@@ -443,6 +452,8 @@ private async Task SendTakedownNoticeEmailFromListingAsync(TakedownNoticesFromLi
 
         public async Task<Dictionary<string, List<string>>> CreateTakedownRequestsFromListingAsync(TakedownRequestsFromListingDto[] listings)
         {
+            CommonUtils.SanitizeObject(listings);
+
             var errors = new Dictionary<string, List<string>>();
             var templates = new List<TakedownRequestFromListing>();
 
@@ -529,6 +540,8 @@ private TakedownRequestFromListing CreateTakedownRequestTemplateFromListing(Take
                 OrgCd = rentalListing.OrganizationCd,
                 ListingId = rentalListing.PlatformListingNo,
                 Info = $"{rentalListing.OrganizationCd}-{rentalListing.PlatformListingNo}",
+                IsWithStandardDetail = listing.IsWithStandardDetail,
+                TakedownRequestDetail = listing.CustomDetailTxt,
                 To = new string[] { _currentUser.EmailAddress },
                 Cc = listing.CcList ?? new List<string>()
             };
@@ -587,6 +600,8 @@ private async Task SendTakedownRequestEmailFromListingAsync(TakedownRequestsFrom
 
         public async Task<(Dictionary<string, List<string>> errors, EmailPreview preview)> GetTakedownRequestsFromListingPreviewAsync(TakedownRequestsFromListingDto[] listings)
         {
+            CommonUtils.SanitizeObject(listings);
+
             var errors = new Dictionary<string, List<string>>();
             var templates = new List<TakedownRequestFromListing>();
 
@@ -624,6 +639,8 @@ private async Task SendTakedownRequestEmailFromListingAsync(TakedownRequestsFrom
 
         public async Task<Dictionary<string, List<string>>> CreateTakedownRequestAsync(TakedownRequestCreateDto dto)
         {
+            CommonUtils.SanitizeObject(dto);
+
             var platform = await _orgService.GetOrganizationByIdAsync(dto.PlatformId);
             var lg = await _orgService.GetOrganizationByIdAsync(_currentUser.OrganizationId);
 
@@ -748,13 +765,16 @@ private TakedownRequest GetTakedownRequestTemplate(TakedownRequestCreateDto dto,
                 To = dto.ToList,
                 Cc = dto.CcList,
                 Info = dto.ListingUrl,
+                IsWithStandardDetail = dto.IsWithStandardDetail,
                 Preview = preview
             };
             return template;
         }
 
         public async Task<(Dictionary<string, List<string>> errors, EmailPreview preview)> GetTakedownRequestPreviewAsync(TakedownRequestCreateDto dto)
         {
+            CommonUtils.SanitizeObject(dto);
+
             var platform = await _orgService.GetOrganizationByIdAsync(dto.PlatformId);
             var lg = await _orgService.GetOrganizationByIdAsync(_currentUser.OrganizationId);
 
@@ -813,7 +833,7 @@ private async Task ProcessTakedownRequestBatchEmailAsync(OrganizationDto platfor
                     ListingId = x.UnreportedListingNo ?? "", 
                     Url = x.UnreportedListingUrl ?? "", 
                     RequestedBy = x.RequestingOrganization?.OrganizationNm ?? "",
-                    TakedownRequest = (x.IsWithStandardDetail ?? false) ? "Remove the listing from the platform, do not allow transactions for payments associated with the listing, and cancel all booking associated with the listing." : "",
+                    TakedownRequest = (x.IsWithStandardDetail ?? false) ? Constants.StandardTakedownDetail : "",
                     TakedownRequestDetail = x.CustomDetailTxt ?? ""
                 })
                 .ToList();
@@ -1071,6 +1091,8 @@ private async Task<Dictionary<string, List<string>>> ValidateBatchTakedownNotice
         }
         public async Task<(Dictionary<string, List<string>> errors, EmailPreview preview)> GetComplianceOrdersFromListingPreviewAsync(ComplianceOrderDto[] listings)
         {
+            CommonUtils.SanitizeObject(listings);
+
             var errors = new Dictionary<string, List<string>>();
             var templates = new List<ComplianceOrderFromListing>();
 
@@ -1143,6 +1165,8 @@ private async Task ProcessComplianceOrderListings(ComplianceOrderDto[] listings,
         }
         public async Task<Dictionary<string, List<string>>> CreateComplianceOrdersFromListingAsync(ComplianceOrderDto[] listings)
         {
+            CommonUtils.SanitizeObject(listings);
+
             var errors = new Dictionary<string, List<string>>();
             var emailRegex = RegexDefs.GetRegexInfo(RegexDefs.Email);
             var templates = new List<ComplianceOrderFromListing>();

server/StrDss.Service/EmailTemplates/ComplianceOrderFromListing.cs

@@ -22,7 +22,7 @@ public override string GetContent()
             return (Preview ? GetPreviewHeader() : "") + $@"
 Dear Host,<br/><br/>
 <b>This message has been sent to you by B.C.'s Short-term Rental Compliance Unit regarding your short-term rental listing:</b><br/><b>{Url}</b><br/><br/>
-<b>{Sanitize(Comment)}</b><br/>
+<b>{Comment}</b><br/>
 ";
         }
 

server/StrDss.Service/EmailTemplates/EmailTemplateBase.cs

@@ -1,18 +1,14 @@
-using Ganss.Xss;
-using StrDss.Common;
+using StrDss.Common;
 using StrDss.Model;
 
 namespace StrDss.Service.EmailTemplates
 {
     public class EmailTemplateBase
     {
         private IEmailMessageService _emailService { get; set; }
-        private HtmlSanitizer _sanitizer { get; set; }
-
         public EmailTemplateBase(IEmailMessageService emailService)
         {
             _emailService = emailService;
-            _sanitizer = new HtmlSanitizer();
         }
 
         public string Subject { get; set;  } = "";
@@ -61,10 +57,5 @@ public async Task<string> SendEmail()
 
             return await _emailService.SendEmailAsync(emailContent);
         }
-
-        public string Sanitize(string? text)
-        {
-            return _sanitizer.Sanitize(text ?? "");
-        }
     }
 }

server/StrDss.Service/EmailTemplates/TakedownNotice.cs

@@ -23,11 +23,11 @@ public override string GetContent()
             return (Preview ? GetPreviewHeader() : "") + $@"
 Dear Host,<br/><br/>
 Short-term rental accommodations in your community are regulated by your local government. The {LgName} has determined that the following short-term rental listing is not in compliance with an applicable local government business licence requirement:<br/><br/>
-<b>{Sanitize(Url)}</b><br/><br/>
-Listing ID Number: <b>{Sanitize(ListingId)}</b><br/><br/>
+<b>{Url}</b><br/><br/>
+Listing ID Number: <b>{ListingId}</b><br/><br/>
 Under the provincial <a href='https://www.bclaws.gov.bc.ca/civix/document/id/bills/billsprevious/4th42nd:gov35-1'><i>Short-Term Rental Accommodations Act</i></a> and its regulations, the local government may submit a request to the short-term rental platform to cease providing platform services (e.g., remove this listing from the platform and cancel bookings) within a period of 5-90 days after the date of delivery of this Notice. Short-term rental platforms are required to comply with the local government’s request within 5 days of receiving the request.<br/><br/>
 This Notice has been issued by {LgName}.<br/><br/>
-{Sanitize(Comment)}<br/><br/>
+{Comment}<br/><br/>
 For more information on this Notice, or local government short-term rental business licences, please contact your local government.<br/><br/>
 For more information on the <i>Short-term Rental Accommodations Act</i>, please visit: <a href='https://www2.gov.bc.ca/gov/content/housing-tenancy/short-term-rentals'>New rules for short-term rentals - Province of British Columbia (gov.bc.ca)</a>.<br/><br/>
 

server/StrDss.Service/EmailTemplates/TakedownNoticeFromListing.cs

@@ -27,7 +27,7 @@ public string GetHtmlPreview()
 Listing ID Number: <strong>[Listing ID]</strong><br/><br/>
 Under the provincial <a href='https://www.bclaws.gov.bc.ca/civix/document/id/bills/billsprevious/4th42nd:gov35-1'><i>Short-Term Rental Accommodations Act</i></a> and its regulations, the local government may submit a request to the short-term rental platform to cease providing platform services (e.g., remove this listing from the platform and cancel bookings) within a period of 5-90 days after the date of delivery of this Notice. Short-term rental platforms are required to comply with the local government’s request within 5 days of receiving the request.<br/><br/>
 This Notice has been issued by <strong>[local government]</strong>.<br/><br/>
-<strong>[Optional remarks]</strong><br/><br/>
+<strong>{Comment}</strong><br/><br/>
 For more information on this Notice, or local government short-term rental business licences, please contact your local government.<br/><br/>
 For more information on the <i>Short-term Rental Accommodations Act</i>, please visit: <a href='https://www2.gov.bc.ca/gov/content/housing-tenancy/short-term-rentals'>New rules for short-term rentals - Province of British Columbia (gov.bc.ca)</a>.<br/><br/>
 

server/StrDss.Service/EmailTemplates/TakedownRequest.cs

@@ -13,18 +13,26 @@ public TakedownRequest(IEmailMessageService emailService)
 
         public string Url { get; set; } = "";
         public string? ListingId { get; set; }
+        public bool IsWithStandardDetail { get; set; }
+        public string TakedownRequestDetail { get; set; } = "";
 
         public override string GetContent()
         {
+            var standardText = IsWithStandardDetail ? Constants.StandardTakedownDetail : "";
+
             Subject = "Confirmation of Takedown Request";
 
             return (Preview ? GetPreviewHeader() : "") + $@"
 A takedown request for the following short-term rental listing was submitted to the Province of B.C.’s Short-term Rental Data Portal and will be delivered to the platform at 11:50pm PST tonight:<br/><br/>
-<b>{Sanitize(Url)}</b><br/><br/>
-Listing ID Number: <b>{Sanitize(ListingId)}</b><br/><br/>
+<b>{Url}</b><br/><br/>
+Listing ID Number: <b>{ListingId}</b><br/><br/>" 
++ (IsWithStandardDetail ? $@"{standardText}<br/><br/>" : "")
++ (TakedownRequestDetail.IsNotEmpty() ? $@"{TakedownRequestDetail}<br/><br/>" : "")
++ $@"
 Under the <a href='https://www.bclaws.gov.bc.ca/civix/document/id/bills/billsprevious/4th42nd:gov35-1'>Short-Term Rental Accommodations Act</a> and its regulations, the platform is required to comply with the request within 5 days from the date of receipt of the request. If the platform fails to comply with the request (e.g., remove the listing), local governments can escalate the matter to the Director of the Provincial STR Compliance and Enforcement Unit at: <a href='mailto: CEUescalations@gov.bc.ca'>CEUescalations@gov.bc.ca</a>.<br/><br/>
 This email has been automatically generated. Please do not reply to this email.
 ";
+
         }
     }   
 }

server/StrDss.Service/EmailTemplates/TakedownRequestFromListing.cs

@@ -1,4 +1,6 @@
-namespace StrDss.Service.EmailTemplates
+using StrDss.Common;
+
+namespace StrDss.Service.EmailTemplates
 {
     public class TakedownRequestFromListing : TakedownRequest
     {
@@ -14,10 +16,15 @@ public string GetHtmlPreview()
         {
             Subject = "Confirmation of Takedown Request";
 
+            var standardText = IsWithStandardDetail ? Constants.StandardTakedownDetail : "";
+
             return (Preview ? GetPreviewHeader() : "") + $@"
 A takedown request for the following short-term rental listing was submitted to the Province of B.C.’s Short-term Rental Data Portal and will be delivered to the platform at 11:50pm PST tonight:<br/><br/>
-<strong>[URL of the listing]</strong><br/><br/>
-Listing ID Number: <strong>[Listing ID]</strong><br/><br/>
+<b>{Url}</b><br/><br/>
+Listing ID Number: <b>{ListingId}</b><br/><br/>"
++ (IsWithStandardDetail ? $@"{standardText}<br/><br/>" : "")
++ (TakedownRequestDetail.IsNotEmpty() ? $@"{TakedownRequestDetail}<br/><br/>" : "")
++ $@"
 Under the <a href='https://www.bclaws.gov.bc.ca/civix/document/id/bills/billsprevious/4th42nd:gov35-1'>Short-Term Rental Accommodations Act</a> and its regulations, the platform is required to comply with the request within 5 days from the date of receipt of the request. If the platform fails to comply with the request (e.g., remove the listing), local governments can escalate the matter to the Director of the Provincial STR Compliance and Enforcement Unit at: <a href='mailto: CEUescalations@gov.bc.ca'>CEUescalations@gov.bc.ca</a>.<br/><br/>
 This email has been automatically generated. Please do not reply to this email.
 ";