Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/activity/_event_activity_item.html.heex
+++ b/lib/web/templates/email/activity/_event_activity_item.html.heex
@@ -1,52 +1,52 @@
 <%= case @activity.subject do %>
  <% :event_created -> %>
    <%= dgettext("activity", "The event %{event} was created by %{profile}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      event:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
        :event,
        @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                            #{@activity.subject_params["event_title"]}
+                            #{escape_html(@activity.subject_params["event_title"])}
                        </a>"
    })
    |> raw %>
  <% :event_updated -> %>
    <%= dgettext("activity", "The event %{event} was updated by %{profile}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
      event:
        "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
        :event,
        @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                            #{@activity.subject_params["event_title"]}
+                            #{escape_html(@activity.subject_params["event_title"])}
                        </a>"
    })
    |> raw %>
  <% :event_deleted -> %>
    <%= dgettext("activity", "The event %{event} was deleted by %{profile}.", %{
-      profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
-      event: "<b>#{@activity.subject_params["event_title"]}</b>"
+      profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
+      event: "<b>#{escape_html(@activity.subject_params["event_title"])}</b>"
    })
    |> raw %>
  <% :comment_posted -> %>
    <%= if @activity.subject_params["comment_reply_to"] do %>
      <%= dgettext("activity", "%{profile} replied to a comment on the event %{event}.", %{
-        profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+        profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
        event:
          "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
          :event,
          @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                            #{@activity.subject_params["event_title"]}
+                            #{escape_html(@activity.subject_params["event_title"])}
                        </a>"
      })
      |> raw %>
    <% else %>
      <%= dgettext("activity", "%{profile} posted a comment on the event %{event}.", %{
-        profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+        profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>",
        event:
          "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
          :event,
          @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                            #{@activity.subject_params["event_title"]}
+                            #{escape_html(@activity.subject_params["event_title"])}
                        </a>"
      })
      |> raw %>