Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/web/templates/email/instance_follow.html.heex
+++ b/lib/web/templates/email/instance_follow.html.heex
@@ -45,7 +45,7 @@
        >
          <p style="margin: 0;">
            <%= gettext("<b>%{name}</b> just requested to follow your instance.",
-              name: Mobilizon.Actors.Actor.display_name_and_username(@follower)
+              name: escape_html(display_name_and_username(@follower))
            )
            |> raw %>
            <br />
@@ -67,7 +67,7 @@
            <p style="margin: 0;">
              <%= gettext(
                "Note: %{name} following you doesn't necessarily imply that you follow this instance, but you can ask to follow them too.",
-                name: Mobilizon.Actors.Actor.display_name_and_username(@follower)
+                name: escape_html(display_name_and_username(@follower))
              ) %>
            </p>
          </td>