aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Mail/EMailTemplate.php
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2017-04-11 16:17:44 -0500
committerBjoern Schiessle <bjoern@schiessle.org>2017-04-12 17:16:26 +0200
commit33e077c1c1243884342d51ddc57a1aca4f33049d (patch)
tree50e2d6de385eba0597d21dd456441b09df010ca1 /lib/private/Mail/EMailTemplate.php
parent050ce1d40bf344510338a401ce6b68f76ed3f5e5 (diff)
downloadnextcloud-server-33e077c1c1243884342d51ddc57a1aca4f33049d.tar.gz
nextcloud-server-33e077c1c1243884342d51ddc57a1aca4f33049d.zip
Properly escape heading, body and button text
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Diffstat (limited to 'lib/private/Mail/EMailTemplate.php')
-rw-r--r--lib/private/Mail/EMailTemplate.php16
1 files changed, 11 insertions, 5 deletions
diff --git a/lib/private/Mail/EMailTemplate.php b/lib/private/Mail/EMailTemplate.php
index b47dcf09bfb..bfaee72bedd 100644
--- a/lib/private/Mail/EMailTemplate.php
+++ b/lib/private/Mail/EMailTemplate.php
@@ -345,7 +345,7 @@ EOF;
$plainTitle = $title;
}
- $this->htmlBody .= vsprintf($this->heading, [$title]);
+ $this->htmlBody .= vsprintf($this->heading, [htmlspecialchars($title)]);
$this->plainBody .= $plainTitle . PHP_EOL . PHP_EOL;
}
@@ -368,7 +368,7 @@ EOF;
$this->bodyOpened = true;
}
- $this->htmlBody .= vsprintf($this->bodyText, [$text]);
+ $this->htmlBody .= vsprintf($this->bodyText, [htmlspecialchars($text)]);
$this->plainBody .= $plainText . PHP_EOL . PHP_EOL;
}
@@ -382,7 +382,12 @@ EOF;
* @param string $plainTextLeft Text of left button that is used in the plain text version - if unset the $textLeft is used
* @param string $plainTextRight Text of right button that is used in the plain text version - if unset the $textRight is used
*/
- public function addBodyButtonGroup($textLeft, $urlLeft, $textRight, $urlRight, $plainTextLeft = '', $plainTextRight = '') {
+ public function addBodyButtonGroup($textLeft,
+ $urlLeft,
+ $textRight,
+ $urlRight,
+ $plainTextLeft = '',
+ $plainTextRight = '') {
if ($this->footerAdded) {
return;
}
@@ -400,7 +405,8 @@ EOF;
}
$color = $this->themingDefaults->getColorPrimary();
- $this->htmlBody .= vsprintf($this->buttonGroup, [$color, $color, $urlLeft, $color, $textLeft, $urlRight, $textRight]);
+
+ $this->htmlBody .= vsprintf($this->buttonGroup, [$color, $color, $urlLeft, $color, htmlspecialchars($textLeft), $urlRight, htmlspecialchars($textRight)]);
$this->plainBody .= $plainTextLeft . ': ' . $urlLeft . PHP_EOL;
$this->plainBody .= $plainTextRight . ': ' . $urlRight . PHP_EOL . PHP_EOL;
@@ -433,7 +439,7 @@ EOF;
/**
* Adds a logo and a text to the footer. <br> in the text will be replaced by new lines in the plain text email
*
- * @param string $text
+ * @param string $text If the text is empty the default "Name - Slogan<br>This is an automatically generated email" will be used
*/
public function addFooter($text = '') {
if($text === '') {