Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/activity/_comment_activity_item.html.heex
+++ b/lib/web/templates/email/activity/_comment_activity_item.html.heex
@@ -1,35 +1,35 @@
 <%= case @activity.subject do %>
  <% :event_comment_mention -> %>
    <%= dgettext("activity", "%{profile} mentionned you in a comment under event %{event}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      event:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
        :event,
        @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                            #{@activity.subject_params["event_title"]}
+                            #{escape_html(@activity.subject_params["event_title"])}
                        </a>"
    })
    |> raw %>
  <% :participation_event_comment -> %>
    <%= dgettext("activity", "%{profile} has posted an announcement under event %{event}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      event:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
        :event,
        @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                            #{@activity.subject_params["event_title"]}
+                            #{escape_html(@activity.subject_params["event_title"])}
                        </a>"
    })
    |> raw %>
  <% :event_new_comment -> %>
    <%= if @activity.subject_params["comment_reply_to"] do %>
      <%= dgettext("activity", "%{profile} has posted a new reply under your event %{event}.", %{
-        profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+        profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
        event:
          "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
          :event,
          @activity.subject_params["event_uuid"]) |> URI.decode()}#comment-#{@activity.subject_params["comment_reply_to_uuid"]}-#{@activity.subject_params["comment_uuid"]}\">
-                                #{@activity.subject_params["event_title"]}
+                                #{escape_html(@activity.subject_params["event_title"])}
                            </a>"
      })
      |> raw %>
@@ -38,12 +38,12 @@
        "activity",
        "%{profile} has posted a new comment under your event %{event}.",
        %{
-          profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+          profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
          event:
            "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
            :event,
            @activity.subject_params["event_uuid"]) |> URI.decode()}#comment-#{@activity.subject_params["comment_uuid"]}\">
-                                #{@activity.subject_params["event_title"]}
+                                #{escape_html(@activity.subject_params["event_title"])}
                            </a>"
        }
      )