From 026fbb99a6380054545c14c16590e96a9e77995c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Thu, 18 Feb 2010 19:13:38 +0000
Subject: [PATCH] Escaping in html email templates (#4874).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3452 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/mailer/_issue_text_html.rhtml          | 16 ++++++++--------
 .../account_activation_request.text.html.rhtml   |  2 +-
 .../mailer/account_information.text.html.rhtml   |  6 +++---
 .../mailer/attachments_added.text.html.rhtml     |  2 +-
 app/views/mailer/document_added.text.html.rhtml  |  2 +-
 app/views/mailer/issue_add.text.html.rhtml       |  2 +-
 app/views/mailer/issue_edit.text.html.rhtml      |  2 +-
 app/views/mailer/lost_password.text.html.rhtml   |  2 +-
 app/views/mailer/message_posted.text.html.rhtml  |  4 ++--
 app/views/mailer/news_added.text.html.rhtml      |  4 ++--
 10 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/app/views/mailer/_issue_text_html.rhtml b/app/views/mailer/_issue_text_html.rhtml
index d0f247812..3b1812d98 100644
--- a/app/views/mailer/_issue_text_html.rhtml
+++ b/app/views/mailer/_issue_text_html.rhtml
@@ -1,14 +1,14 @@
-<h1><%= link_to "#{issue.tracker.name} ##{issue.id}: #{issue.subject}", issue_url %></h1>
+<h1><%= link_to(h("#{issue.tracker.name} ##{issue.id}: #{issue.subject}"), issue_url) %></h1>
 
 <ul>
-<li><%=l(:field_author)%>: <%= issue.author %></li>
-<li><%=l(:field_status)%>: <%= issue.status %></li>
-<li><%=l(:field_priority)%>: <%= issue.priority %></li>
-<li><%=l(:field_assigned_to)%>: <%= issue.assigned_to %></li>
-<li><%=l(:field_category)%>: <%= issue.category %></li>
-<li><%=l(:field_fixed_version)%>: <%= issue.fixed_version %></li>
+<li><%=l(:field_author)%>: <%=h issue.author %></li>
+<li><%=l(:field_status)%>: <%=h issue.status %></li>
+<li><%=l(:field_priority)%>: <%=h issue.priority %></li>
+<li><%=l(:field_assigned_to)%>: <%=h issue.assigned_to %></li>
+<li><%=l(:field_category)%>: <%=h issue.category %></li>
+<li><%=l(:field_fixed_version)%>: <%=h issue.fixed_version %></li>
 <% issue.custom_values.each do |c| %>
-  <li><%= c.custom_field.name %>: <%= show_value(c) %></li>
+  <li><%=h c.custom_field.name %>: <%=h show_value(c) %></li>
 <% end %>
 </ul>
 
diff --git a/app/views/mailer/account_activation_request.text.html.rhtml b/app/views/mailer/account_activation_request.text.html.rhtml
index 145ecfc8e..b19cf3219 100644
--- a/app/views/mailer/account_activation_request.text.html.rhtml
+++ b/app/views/mailer/account_activation_request.text.html.rhtml
@@ -1,2 +1,2 @@
-<p><%= l(:mail_body_account_activation_request, @user.login) %></p>
+<p><%= l(:mail_body_account_activation_request, h(@user.login)) %></p>
 <p><%= link_to @url, @url %></p>
diff --git a/app/views/mailer/account_information.text.html.rhtml b/app/views/mailer/account_information.text.html.rhtml
index 3b6ab6a9d..94c3297ed 100644
--- a/app/views/mailer/account_information.text.html.rhtml
+++ b/app/views/mailer/account_information.text.html.rhtml
@@ -1,10 +1,10 @@
 <% if @user.auth_source %>
-<p><%= l(:mail_body_account_information_external, @user.auth_source.name) %></p>
+<p><%= l(:mail_body_account_information_external, h(@user.auth_source.name)) %></p>
 <% else %>
 <p><%= l(:mail_body_account_information) %>:</p>
 <ul>
-    <li><%= l(:field_login) %>: <%= @user.login %></li>
-    <li><%= l(:field_password) %>: <%= @password %></li>
+    <li><%= l(:field_login) %>: <%=h @user.login %></li>
+    <li><%= l(:field_password) %>: <%=h @password %></li>
 </ul>
 <% end %>
 
diff --git a/app/views/mailer/attachments_added.text.html.rhtml b/app/views/mailer/attachments_added.text.html.rhtml
index d2355b1c4..369834b6d 100644
--- a/app/views/mailer/attachments_added.text.html.rhtml
+++ b/app/views/mailer/attachments_added.text.html.rhtml
@@ -1,5 +1,5 @@
 <%= link_to @added_to, @added_to_url %><br />
 
 <ul><% @attachments.each do |attachment | %>
-<li><%= attachment.filename %></li>
+<li><%=h attachment.filename %></li>
 <% end %></ul>
diff --git a/app/views/mailer/document_added.text.html.rhtml b/app/views/mailer/document_added.text.html.rhtml
index dc1f659a0..8606dd784 100644
--- a/app/views/mailer/document_added.text.html.rhtml
+++ b/app/views/mailer/document_added.text.html.rhtml
@@ -1,3 +1,3 @@
-<%= link_to @document.title, @document_url %> (<%= @document.category.name %>)<br />
+<%= link_to(h(@document.title), @document_url) %> (<%=h @document.category.name %>)<br />
 <br />
 <%= textilizable(@document, :description, :only_path => false) %>
diff --git a/app/views/mailer/issue_add.text.html.rhtml b/app/views/mailer/issue_add.text.html.rhtml
index ef1d0dec4..bc62306c1 100644
--- a/app/views/mailer/issue_add.text.html.rhtml
+++ b/app/views/mailer/issue_add.text.html.rhtml
@@ -1,3 +1,3 @@
-<%= l(:text_issue_added, :id => "##{@issue.id}", :author => @issue.author) %>
+<%= l(:text_issue_added, :id => "##{@issue.id}", :author => h(@issue.author)) %>
 <hr />
 <%= render :partial => "issue_text_html", :locals => { :issue => @issue, :issue_url => @issue_url } %>
diff --git a/app/views/mailer/issue_edit.text.html.rhtml b/app/views/mailer/issue_edit.text.html.rhtml
index b4a1f953e..05c67208e 100644
--- a/app/views/mailer/issue_edit.text.html.rhtml
+++ b/app/views/mailer/issue_edit.text.html.rhtml
@@ -1,4 +1,4 @@
-<%= l(:text_issue_updated, :id => "##{@issue.id}", :author => @journal.user) %>
+<%= l(:text_issue_updated, :id => "##{@issue.id}", :author => h(@journal.user)) %>
 
 <ul>
 <% for detail in @journal.details %>
diff --git a/app/views/mailer/lost_password.text.html.rhtml b/app/views/mailer/lost_password.text.html.rhtml
index 4dd570c94..40bb8e9c9 100644
--- a/app/views/mailer/lost_password.text.html.rhtml
+++ b/app/views/mailer/lost_password.text.html.rhtml
@@ -1,4 +1,4 @@
 <p><%= l(:mail_body_lost_password) %><br />
 <%= auto_link(@url) %></p>
 
-<p><%= l(:field_login) %>: <b><%= @token.user.login %></b></p>
+<p><%= l(:field_login) %>: <b><%=h @token.user.login %></b></p>
diff --git a/app/views/mailer/message_posted.text.html.rhtml b/app/views/mailer/message_posted.text.html.rhtml
index d91ce5a04..f43a8cf0f 100644
--- a/app/views/mailer/message_posted.text.html.rhtml
+++ b/app/views/mailer/message_posted.text.html.rhtml
@@ -1,4 +1,4 @@
-<h1><%=h @message.board.project.name %> - <%=h @message.board.name %>: <%= link_to @message.subject, @message_url %></h1>
-<em><%= @message.author %></em>
+<h1><%=h @message.board.project.name %> - <%=h @message.board.name %>: <%= link_to(h(@message.subject), @message_url) %></h1>
+<em><%=h @message.author %></em>
 
 <%= textilizable(@message, :content, :only_path => false) %>
diff --git a/app/views/mailer/news_added.text.html.rhtml b/app/views/mailer/news_added.text.html.rhtml
index 15bc89fac..758ebccb8 100644
--- a/app/views/mailer/news_added.text.html.rhtml
+++ b/app/views/mailer/news_added.text.html.rhtml
@@ -1,4 +1,4 @@
-<h1><%= link_to @news.title, @news_url %></h1>
-<em><%= @news.author.name %></em>
+<h1><%= link_to(h(@news.title), @news_url) %></h1>
+<em><%=h @news.author.name %></em>
 
 <%= textilizable(@news, :description, :only_path => false) %>