Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/event_participation_rejected.html.heex
+++ b/lib/web/templates/email/event_participation_rejected.html.heex
@@ -44,7 +44,9 @@
          style="padding: 20px 30px 0px 30px; color: #474467; font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;"
        >
          <p style="margin: 0;">
-            <%= gettext("You issued a request to attend <b>%{title}</b>.", title: @event.title)
+            <%= gettext("You issued a request to attend <b>%{title}</b>.",
+              title: escape_html(@event.title)
+            )
            |> raw %>
          </p>
        </td>