Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/group_invite.html.heex
+++ b/lib/web/templates/email/group_invite.html.heex
@@ -46,8 +46,8 @@
          <p style="margin: 0;">
            <%= gettext(
              "<b>%{inviter}</b> just invited you to join their group %{link_start}<b>%{group}</b>%{link_end}",
-              group: @group.name,
-              inviter: @inviter.name,
+              group: escape_html(display_name(@group)),
+              inviter: escape_html(display_name(@inviter)),
              link_start: "<a href=\"#{@group.url}\">",
              link_end: "</a>"
            )