Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/activity/_discussion_activity_item.html.heex
+++ b/lib/web/templates/email/activity/_discussion_activity_item.html.heex
@@ -1,40 +1,40 @@
 <%= case @activity.subject do %>
  <% :discussion_created -> %>
    <%= dgettext("activity", "%{profile} created the discussion %{discussion}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      discussion:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint, :discussion, Mobilizon.Actors.Actor.preferred_username_and_domain(@activity.group), @activity.subject_params["discussion_slug"]) |> URI.decode()}\">
-                            #{@activity.subject_params["discussion_title"]}</a>"
+                            #{escape_html(@activity.subject_params["discussion_title"])}</a>"
    })
    |> raw %>
  <% :discussion_replied -> %>
    <%= dgettext("activity", "%{profile} replied to the discussion %{discussion}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      discussion:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint, :discussion, Mobilizon.Actors.Actor.preferred_username_and_domain(@activity.group), @activity.subject_params["discussion_slug"]) |> URI.decode()}\">
-                            #{@activity.subject_params["discussion_title"]}</a>"
+                            #{escape_html(@activity.subject_params["discussion_title"])}</a>"
    })
    |> raw %>
  <% :discussion_renamed -> %>
    <%= dgettext("activity", "%{profile} renamed the discussion %{discussion}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      discussion:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint, :discussion, Mobilizon.Actors.Actor.preferred_username_and_domain(@activity.group), @activity.subject_params["discussion_slug"]) |> URI.decode()}\">
-                            #{@activity.subject_params["discussion_title"]}</a>"
+                            #{escape_html(@activity.subject_params["discussion_title"])}</a>"
    })
    |> raw %>
  <% :discussion_archived -> %>
    <%= dgettext("activity", "%{profile} archived the discussion %{discussion}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      discussion:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint, :discussion, Mobilizon.Actors.Actor.preferred_username_and_domain(@activity.group), @activity.subject_params["discussion_slug"]) |> URI.decode()}\">
-                            #{@activity.subject_params["discussion_title"]}</a>"
+                            #{escape_html(@activity.subject_params["discussion_title"])}</a>"
    })
    |> raw %>
  <% :discussion_deleted -> %>
    <%= dgettext("activity", "%{profile} deleted the discussion %{discussion}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
-      discussion: "<b>#{@activity.subject_params["discussion_title"]}</b>"
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
+      discussion: "<b>#{escape_html(@activity.subject_params["discussion_title"])}</b>"
    })
    |> raw %>
 <% end %>