Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/group_membership_approval.html.heex
+++ b/lib/web/templates/email/group_membership_approval.html.heex
@@ -46,9 +46,9 @@
          <p style="margin: 0;">
            <%= gettext(
              "Your membership request for group %{link_start}<b>%{group}</b>%{link_end} has been approved.",
-              group: Mobilizon.Actors.Actor.display_name(@group),
+              group: escape_html(display_name(@group)),
              link_start:
-                "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint, :actor, Mobilizon.Actors.Actor.preferred_username_and_domain(@group)) |> URI.decode()}\">",
+                "<a href=\"#{Routes.page_url(Mobilizon.Web.Endpoint, :actor, preferred_username_and_domain(@group)) |> URI.decode()}\">",
              link_end: "</a>"
            )
            |> raw %>