Skip to content

Commit 20c4ba6

Browse files
marcelfolaronmarcelfolaron
committed
Escaping content for email messages
1 parent 5fdb464 commit 20c4ba6

File tree

15 files changed

+32
-32
lines changed

15 files changed

+32
-32
lines changed

app/Domain/Canvas/Controllers/BoardDialog.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ public function run()
7474
$message = sprintf(
7575
$this->language->__('email_notifications.canvas_created_message'),
7676
session('userdata.name'),
77-
"<a href='".$actual_link."'>".$values['title'].'</a>'
77+
"<a href='".$actual_link."'>".strip_tags($values['title']).'</a>'
7878
);
7979
$mailer->setHtml($message);
8080

app/Domain/Canvas/Controllers/EditCanvasItem.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -184,7 +184,7 @@ public function post($params)
184184
$message = sprintf(
185185
$this->language->__('email_notifications.canvas_item_update_message'),
186186
session('userdata.name'),
187-
$canvasItem['description']
187+
strip_tags($canvasItem['description'])
188188
);
189189

190190
$notification = app()->make(NotificationModel::class);
@@ -236,7 +236,7 @@ public function post($params)
236236
$message = sprintf(
237237
$this->language->__('email_notifications.canvas_item_created_message'),
238238
session('userdata.name'),
239-
$canvasItem['description']
239+
strip_tags($canvasItem['description'])
240240
);
241241

242242
$notification = app()->make(NotificationModel::class);

app/Domain/Canvas/Controllers/ShowCanvas.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ public function run()
115115
$message = sprintf(
116116
$this->language->__('email_notifications.canvas_created_message'),
117117
session('userdata.name'),
118-
"<a href='".$actual_link."'>".$values['title'].'</a>'
118+
"<a href='".$actual_link."'>".strip_tags($values['title']).'</a>'
119119
);
120120
$mailer->setHtml($message);
121121

@@ -232,7 +232,7 @@ public function run()
232232
$message = sprintf(
233233
$this->language->__('email_notifications.canvas_imported_message'),
234234
session('userdata.name'),
235-
"<a href='".$actual_link."'>".$canvas[0]['title'].'</a>'
235+
"<a href='".$actual_link."'>".strip_tags($canvas[0]['title']).'</a>'
236236
);
237237
$mailer->setHtml($message);
238238

app/Domain/Comments/Services/Comments.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -66,14 +66,14 @@ public function addComment($values, $module, $entityId, $entity): bool
6666

6767
switch ($module) {
6868
case 'ticket':
69-
$subject = sprintf($this->language->__('email_notifications.new_comment_todo_with_type_subject'), $this->language->__('label.'.strtolower($entity->type)), $entity->id, $entity->headline);
70-
$message = sprintf($this->language->__('email_notifications.new_comment_todo_with_type_message'), session('userdata.name'), $this->language->__('label.'.strtolower($entity->type)), $entity->headline, $values['text']);
69+
$subject = sprintf($this->language->__('email_notifications.new_comment_todo_with_type_subject'), $this->language->__('label.'.strtolower($entity->type)), $entity->id, strip_tags($entity->headline));
70+
$message = sprintf($this->language->__('email_notifications.new_comment_todo_with_type_message'), session('userdata.name'), $this->language->__('label.'.strtolower($entity->type)), strip_tags($entity->headline), strip_tags($values['text']));
7171
$linkLabel = $this->language->__('email_notifications.new_comment_todo_cta');
7272
$currentUrl = BASE_URL.'#/tickets/showTicket/'.$entity->id;
7373
break;
7474
case 'project':
75-
$subject = sprintf($this->language->__('email_notifications.new_comment_project_subject'), $entityId, $entity['name']);
76-
$message = sprintf($this->language->__('email_notifications.new_comment_project_message'), session('userdata.name'), $entity['name']);
75+
$subject = sprintf($this->language->__('email_notifications.new_comment_project_subject'), $entityId, strip_tags($entity['name']));
76+
$message = sprintf($this->language->__('email_notifications.new_comment_project_message'), session('userdata.name'), strip_tags($entity['name']));
7777
$linkLabel = $this->language->__('email_notifications.new_comment_project_cta');
7878
break;
7979
default:

app/Domain/Files/Services/Files.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,8 @@ public function uploadFile($file, $module, $entityId, $entity = null): array|boo
5151

5252
switch ($module) {
5353
case 'ticket':
54-
$subject = sprintf($this->language->__('email_notifications.new_file_todo_subject'), $entity->id, $entity->headline);
55-
$message = sprintf($this->language->__('email_notifications.new_file_todo_subject'), session('userdata.name'), $entity->headline);
54+
$subject = sprintf($this->language->__('email_notifications.new_file_todo_subject'), $entity->id, strip_tags($entity->headline));
55+
$message = sprintf($this->language->__('email_notifications.new_file_todo_subject'), session('userdata.name'), strip_tags($entity->headline));
5656
$linkLabel = $this->language->__('email_notifications.new_file_todo_cta');
5757
break;
5858
default:

app/Domain/Goalcanvas/Controllers/Dashboard.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ public function run()
162162
$message = sprintf(
163163
$this->language->__('email_notifications.canvas_created_message'),
164164
session('userdata.name'),
165-
"<a href='".$actual_link."'>".$values['title'].'</a>'
165+
"<a href='".$actual_link."'>".strip_tags($values['title']).'</a>'
166166
);
167167
$mailer->setHtml($message);
168168

@@ -279,7 +279,7 @@ public function run()
279279
$message = sprintf(
280280
$this->language->__('email_notifications.canvas_imported_message'),
281281
session('userdata.name'),
282-
"<a href='".$actual_link."'>".$canvas[0]['title'].'</a>'
282+
"<a href='".$actual_link."'>".strip_tags($canvas[0]['title']).'</a>'
283283
);
284284
$mailer->setHtml($message);
285285

app/Domain/Goalcanvas/Controllers/EditCanvasItem.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -227,7 +227,7 @@ public function post($params): Response
227227
$message = sprintf(
228228
$this->language->__('email_notifications.canvas_item_update_message'),
229229
session('userdata.name'),
230-
$canvasItem['description']
230+
strip_tags($canvasItem['description'])
231231
);
232232

233233
$notification = app()->make(NotificationModel::class);
@@ -280,7 +280,7 @@ public function post($params): Response
280280
$message = sprintf(
281281
$this->language->__('email_notifications.canvas_item_created_message'),
282282
session('userdata.name'),
283-
$canvasItem['description']
283+
strip_tags($canvasItem['description'])
284284
);
285285

286286
$notification = app()->make(NotificationModel::class);

app/Domain/Goalcanvas/Controllers/ShowCanvas.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ public function run()
116116
$message = sprintf(
117117
$this->language->__('email_notifications.canvas_created_message'),
118118
session('userdata.name'),
119-
"<a href='".$actual_link."'>".$values['title'].'</a>'
119+
"<a href='".$actual_link."'>".strip_tags($values['title']).'</a>'
120120
);
121121
$mailer->setHtml($message);
122122

@@ -232,7 +232,7 @@ public function run()
232232
$message = sprintf(
233233
$this->language->__('email_notifications.canvas_imported_message'),
234234
session('userdata.name'),
235-
"<a href='".$actual_link."'>".$canvas[0]['title'].'</a>'
235+
"<a href='".$actual_link."'>".strip_tags($canvas[0]['title']).'</a>'
236236
);
237237
$mailer->setHtml($message);
238238

app/Domain/Ideas/Controllers/AdvancedBoards.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ public function run()
7373
$users = $this->projectService->getUsersToNotify(session('currentProject'));
7474

7575
$mailer->setSubject($this->language->__('email_notifications.idea_board_created_subject'));
76-
$message = sprintf($this->language->__('email_notifications.idea_board_created_message'), session('userdata.name'), "<a href='".CURRENT_URL."'>".$values['title'].'</a>.<br />');
76+
$message = sprintf($this->language->__('email_notifications.idea_board_created_message'), session('userdata.name'), "<a href='".CURRENT_URL."'>".strip_tags($values['title']).'</a>.<br />');
7777

7878
$mailer->setHtml($message);
7979
// $mailer->sendMail($users, session("userdata.name"));

app/Domain/Ideas/Controllers/BoardDialog.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ public function run()
7373
$message = sprintf(
7474
$this->language->__('email_notifications.canvas_created_message'),
7575
session('userdata.name'),
76-
"<a href='".$actual_link."'>".$values['title'].'</a>'
76+
"<a href='".$actual_link."'>".strip_tags($values['title']).'</a>'
7777
);
7878
$mailer->setHtml($message);
7979

app/Domain/Ideas/Controllers/IdeaDialog.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ public function post($params)
190190
$message = sprintf(
191191
$this->language->__('notification.idea_edited'),
192192
session('userdata.name'),
193-
$params['description']
193+
strip_tags($params['description'])
194194
);
195195

196196
$notification = app()->make(NotificationModel::class);
@@ -232,7 +232,7 @@ public function post($params)
232232

233233
$subject = $this->language->__('email_notifications.idea_created_subject');
234234
$actual_link = BASE_URL.'#/ideas/ideaDialog/'.$id;
235-
$message = sprintf($this->language->__('email_notifications.idea_created_message'), session('userdata.name'), $params['description']);
235+
$message = sprintf($this->language->__('email_notifications.idea_created_message'), session('userdata.name'), strip_tags($params['description']));
236236

237237
$notification = app()->make(NotificationModel::class);
238238
$notification->url = [

app/Domain/Ideas/Controllers/ShowBoards.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ public function run()
8080
$users = $this->projectService->getUsersToNotify(session('currentProject'));
8181

8282
$mailer->setSubject($this->language->__('email_notifications.idea_board_created_subject'));
83-
$message = sprintf($this->language->__('email_notifications.idea_board_created_message'), session('userdata.name'), "<a href='".CURRENT_URL."'>".$values['title'].'</a>.<br />');
83+
$message = sprintf($this->language->__('email_notifications.idea_board_created_message'), session('userdata.name'), "<a href='".CURRENT_URL."'>".strip_tags($values['title']).'</a>.<br />');
8484

8585
$mailer->setHtml($message);
8686
// $mailer->sendMail($users, session("userdata.name"));

app/Domain/Projects/Controllers/NewProject.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ public function run()
123123
$mailer->setContext('project_created');
124124
$mailer->setSubject($this->language->__('email_notifications.project_created_subject'));
125125
$actual_link = BASE_URL.'/projects/showProject/'.$id.'';
126-
$message = sprintf($this->language->__('email_notifications.project_created_message'), $actual_link, $id, $projectName, session('userdata.name'));
126+
$message = sprintf($this->language->__('email_notifications.project_created_message'), $actual_link, $id, strip_tags($projectName), session('userdata.name'));
127127
$mailer->setHtml($message);
128128

129129
$to = [];

app/Domain/Projects/Controllers/ShowProject.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -249,7 +249,7 @@ public function run()
249249
$message = sprintf(
250250
$this->language->__('email_notifications.project_update_message'),
251251
session('userdata.name'),
252-
$values['name']
252+
strip_tags($values['name'])
253253
);
254254

255255
$linkLabel = $this->language->__('email_notifications.project_update_cta');

app/Domain/Tickets/Services/Tickets.php

+8-8
Original file line numberDiff line numberDiff line change
@@ -1300,7 +1300,7 @@ public function quickAddTicket($params): array|bool
13001300
if ($result > 0) {
13011301
$values['id'] = $result;
13021302
$actual_link = BASE_URL.'/dashboard/home#/tickets/showTicket/'.$result;
1303-
$message = sprintf($this->language->__('email_notifications.new_todo_message'), session('userdata.name'), $params['headline']);
1303+
$message = sprintf($this->language->__('email_notifications.new_todo_message'), session('userdata.name'), strip_tags($params['headline']));
13041304
$subject = $this->language->__('email_notifications.new_todo_subject');
13051305

13061306
$notification = app()->make(NotificationModel::class);
@@ -1445,9 +1445,9 @@ public function addTicket($values): array|int|bool
14451445

14461446
if ($addTicketResponse !== false) {
14471447
$values['id'] = $addTicketResponse;
1448-
$subject = sprintf($this->language->__('email_notifications.new_todo_subject'), $addTicketResponse, $values['headline']);
1448+
$subject = sprintf($this->language->__('email_notifications.new_todo_subject'), $addTicketResponse, strip_tags($values['headline']));
14491449
$actual_link = BASE_URL.'/dashboard/home#/tickets/showTicket/'.$addTicketResponse;
1450-
$message = sprintf($this->language->__('email_notifications.new_todo_message'), session('userdata.name'), $values['headline']);
1450+
$message = sprintf($this->language->__('email_notifications.new_todo_message'), session('userdata.name'), strip_tags($values['headline']));
14511451

14521452
$notification = app()->make(NotificationModel::class);
14531453
$notification->url = [
@@ -1545,7 +1545,7 @@ public function updateTicket($values): array|bool
15451545

15461546
// Update Ticket
15471547
if ($this->ticketRepository->updateTicket($values, $values['id']) === true) {
1548-
$subject = sprintf($this->language->__('email_notifications.todo_update_subject'), $values['id'], $values['headline']);
1548+
$subject = sprintf($this->language->__('email_notifications.todo_update_subject'), $values['id'], strip_tags($values['headline']));
15491549
$actual_link = BASE_URL.'/dashboard/home#/tickets/showTicket/'.$values['id'];
15501550
$message = sprintf($this->language->__('email_notifications.todo_update_message'), session('userdata.name'), $values['headline']);
15511551

@@ -1590,9 +1590,9 @@ public function patch($id, $params): bool
15901590
// Todo: create events and move notification logic to notification module
15911591
if (isset($params['status']) && $return) {
15921592
$ticket = $this->getTicket($id);
1593-
$subject = sprintf($this->language->__('email_notifications.todo_update_subject'), $id, $ticket->headline);
1593+
$subject = sprintf($this->language->__('email_notifications.todo_update_subject'), $id, strip_tags($ticket->headline));
15941594
$actual_link = BASE_URL.'/dashboard/home#/tickets/showTicket/'.$id;
1595-
$message = sprintf($this->language->__('email_notifications.todo_update_message'), session('userdata.name'), $ticket->headline);
1595+
$message = sprintf($this->language->__('email_notifications.todo_update_message'), session('userdata.name'), strip_tags($ticket->headline));
15961596

15971597
$notification = app()->make(NotificationModel::class);
15981598
$notification->url = [
@@ -1797,9 +1797,9 @@ public function updateTicketStatusAndSorting($params, $handler = null): bool
17971797
$ticket = $this->getTicket($id);
17981798

17991799
if ($ticket) {
1800-
$subject = sprintf($this->language->__('email_notifications.todo_update_subject'), $id, $ticket->headline);
1800+
$subject = sprintf($this->language->__('email_notifications.todo_update_subject'), $id, strip_tags($ticket->headline));
18011801
$actual_link = BASE_URL.'/dashboard/home#/tickets/showTicket/'.$id;
1802-
$message = sprintf($this->language->__('email_notifications.todo_update_message'), session('userdata.name'), $ticket->headline);
1802+
$message = sprintf($this->language->__('email_notifications.todo_update_message'), session('userdata.name'), strip_tags($ticket->headline));
18031803

18041804
$notification = app()->make(NotificationModel::class);
18051805
$notification->url = [

0 commit comments

Comments
 (0)