Correctly escape user-defined names in emails
Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
@@ -4,12 +4,13 @@ defmodule Mobilizon.Web.EmailView do
|
||||
pattern: "**/*",
|
||||
namespace: Mobilizon.Web
|
||||
|
||||
alias Mobilizon.Actors.Actor
|
||||
alias Mobilizon.Service.Address
|
||||
alias Mobilizon.Service.DateTime, as: DateTimeRenderer
|
||||
alias Mobilizon.Web.Router.Helpers, as: Routes
|
||||
import Mobilizon.Web.Gettext
|
||||
import Mobilizon.Service.Metadata.Utils, only: [process_description: 1]
|
||||
import Phoenix.HTML, only: [raw: 1]
|
||||
import Phoenix.HTML, only: [raw: 1, html_escape: 1, safe_to_string: 1]
|
||||
|
||||
defdelegate datetime_to_string(datetime, locale \\ "en", format \\ :medium),
|
||||
to: DateTimeRenderer
|
||||
@@ -24,4 +25,20 @@ defmodule Mobilizon.Web.EmailView do
|
||||
defdelegate datetime_relative(datetime, locale \\ "en"), to: DateTimeRenderer
|
||||
defdelegate render_address(address), to: Address
|
||||
defdelegate is_same_day?(one, two), to: DateTimeRenderer
|
||||
defdelegate display_name_and_username(actor), to: Actor
|
||||
defdelegate display_name(actor), to: Actor
|
||||
defdelegate preferred_username_and_domain(actor), to: Actor
|
||||
|
||||
@spec escape_html(String.t()) :: String.t()
|
||||
def escape_html(string) do
|
||||
string
|
||||
|> html_escape()
|
||||
|> safe_to_string()
|
||||
end
|
||||
|
||||
def escaped_display_name_and_username(actor) do
|
||||
actor
|
||||
|> Actor.display_name_and_username()
|
||||
|> escape_html()
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user