Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/anonymous_participation_confirmation.html.heex
+++ b/lib/web/templates/email/anonymous_participation_confirmation.html.heex
@@ -46,7 +46,7 @@
          <p style="margin: 0;">
            <%= gettext(
              "Hi there! You just registered to join this event: « <b>%{title}</b> ». Please confirm the e-mail address you provided:",
-              title: @participant.event.title
+              title: escape_html(@participant.event.title)
            )
            |> raw %>
          </p>