Critical XSS Vulnerability in Cloud Function Exposes Email Recipients to Arbitrary Code Execution

A critical security flaw in a cloud function's email invitation system allows attackers to inject and execute arbitrary HTML and JavaScript in recipients' email clients. The vulnerability stems from the direct interpolation of user-controlled variables—`inviterName`, `groupName`, and `toEmail`—into an HTML email template without any sanitization or escaping. This means a malicious actor could craft a payload, such as a malicious script tag, within a seemingly innocuous field like a group name, and that code would be rendered and executed when the email is opened by the target.

The vulnerability is located in the `functions/index.js` file, specifically lines 58-68, where the email template is constructed. The lack of input validation creates a direct pipeline for cross-site scripting (XSS) attacks via outbound emails. This is not a theoretical risk; it is a functional exploit that could be used to steal session cookies, redirect users to phishing sites, or perform other malicious actions directly within the email client's rendering context.

The severity is marked as critical because it enables the injection of active content into a trusted communication channel. The immediate fix requires sanitizing or HTML-escaping all user-provided strings before they are injected into the template. Until patched, any system using this vulnerable function is actively exposing its users to client-side attacks delivered through a core notification feature, undermining the security of the entire invitation workflow.