hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Correctly escape user-defined names in emails

Browse Source 
Closes #1151

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
lib/web/templates/email/activity/_member_activity_item.html.heex
View File

@@ -1,58 +1,58 @@
<%= case @activity.subject do %>
<% :member_request -> %>
<%= dgettext("activity", "%{member} requested to join the group.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>"
})
|> raw %>
<% :member_invited -> %>
<%= dgettext("activity", "%{member} was invited by %{profile}.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>",
profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>",
profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>"
})
|> raw %>
<% :member_accepted_invitation -> %>
<%= dgettext("activity", "%{member} accepted the invitation to join the group.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>"
})
|> raw %>
<% :member_rejected_invitation -> %>
<%= dgettext("activity", "%{member} rejected the invitation to join the group.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>"
})
|> raw %>
<% :member_joined -> %>
<%= dgettext("activity", "%{member} joined the group.", %{
member:
"<b title=\"#{@activity.subject_params["member_actor_federated_username"]}\">#{@activity.subject_params["member_actor_name"]}</b>"
"<b title=\"#{@activity.subject_params["member_actor_federated_username"]}\">#{escape_html(@activity.subject_params["member_actor_name"])}</b>"
})
|> raw %>
<% :member_added -> %>
<%= dgettext("activity", "%{profile} added the member %{member}.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>",
profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>",
profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>"
})
|> raw %>
<% :member_approved -> %>
<%= dgettext("activity", "%{profile} approved the member %{member}.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>",
profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>",
profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>"
})
|> raw %>
<% :member_updated -> %>
<%= dgettext("activity", "%{profile} updated the member %{member}.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>",
profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>"
member: "<b>#{escape_html(@activity.subject_params["member_actor_name"])}</b>",
profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>"
})
|> raw %>
<% :member_removed -> %>
<%= dgettext("activity", "%{profile} excluded member %{member}.", %{
member: "<b>#{@activity.subject_params["member_actor_name"]}</b>",
profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>"
profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>"
})
|> raw %>
<% :member_quit -> %>
<%= dgettext("activity", "%{profile} quit the group.", %{
profile: "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>"
profile: "<b>#{escaped_display_name_and_username(@activity.author)}</b>"
})
|> raw %>
<% end %>