Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/email_anonymous_activity.html.heex
+++ b/lib/web/templates/email/email_anonymous_activity.html.heex
@@ -49,13 +49,12 @@
                  "activity",
                  "%{profile} has posted an announcement under event %{event}.",
                  %{
-                    profile:
-                      "<b>#{Mobilizon.Actors.Actor.display_name_and_username(@activity.author)}</b>",
+                    profile: "<b>#{escape_html(display_name_and_username(@activity.author))}</b>",
                    event:
                      "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint,
                      :event,
                      @activity.subject_params["event_uuid"]) |> URI.decode()}\">
-                                #{@activity.subject_params["event_title"]}
+                                #{escape_html(@activity.subject_params["event_title"])}
                            </a>"
                  }
                )