diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2017-04-11 16:17:44 -0500 |
|---|---|---|
| committer | Bjoern Schiessle <bjoern@schiessle.org> | 2017-04-12 17:16:26 +0200 |
| commit | 33e077c1c1243884342d51ddc57a1aca4f33049d (patch) | |
| tree | 50e2d6de385eba0597d21dd456441b09df010ca1 /lib/private | |
| parent | 050ce1d40bf344510338a401ce6b68f76ed3f5e5 (diff) | |
| download | nextcloud-server-33e077c1c1243884342d51ddc57a1aca4f33049d.tar.gz nextcloud-server-33e077c1c1243884342d51ddc57a1aca4f33049d.zip | |
Properly escape heading, body and button text
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/Mail/EMailTemplate.php | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/lib/private/Mail/EMailTemplate.php b/lib/private/Mail/EMailTemplate.php index b47dcf09bfb..bfaee72bedd 100644 --- a/lib/private/Mail/EMailTemplate.php +++ b/lib/private/Mail/EMailTemplate.php @@ -345,7 +345,7 @@ EOF; $plainTitle = $title; } - $this->htmlBody .= vsprintf($this->heading, [$title]); + $this->htmlBody .= vsprintf($this->heading, [htmlspecialchars($title)]); $this->plainBody .= $plainTitle . PHP_EOL . PHP_EOL; } @@ -368,7 +368,7 @@ EOF; $this->bodyOpened = true; } - $this->htmlBody .= vsprintf($this->bodyText, [$text]); + $this->htmlBody .= vsprintf($this->bodyText, [htmlspecialchars($text)]); $this->plainBody .= $plainText . PHP_EOL . PHP_EOL; } @@ -382,7 +382,12 @@ EOF; * @param string $plainTextLeft Text of left button that is used in the plain text version - if unset the $textLeft is used * @param string $plainTextRight Text of right button that is used in the plain text version - if unset the $textRight is used */ - public function addBodyButtonGroup($textLeft, $urlLeft, $textRight, $urlRight, $plainTextLeft = '', $plainTextRight = '') { + public function addBodyButtonGroup($textLeft, + $urlLeft, + $textRight, + $urlRight, + $plainTextLeft = '', + $plainTextRight = '') { if ($this->footerAdded) { return; } @@ -400,7 +405,8 @@ EOF; } $color = $this->themingDefaults->getColorPrimary(); - $this->htmlBody .= vsprintf($this->buttonGroup, [$color, $color, $urlLeft, $color, $textLeft, $urlRight, $textRight]); + + $this->htmlBody .= vsprintf($this->buttonGroup, [$color, $color, $urlLeft, $color, htmlspecialchars($textLeft), $urlRight, htmlspecialchars($textRight)]); $this->plainBody .= $plainTextLeft . ': ' . $urlLeft . PHP_EOL; $this->plainBody .= $plainTextRight . ': ' . $urlRight . PHP_EOL . PHP_EOL; @@ -433,7 +439,7 @@ EOF; /** * Adds a logo and a text to the footer. <br> in the text will be replaced by new lines in the plain text email * - * @param string $text + * @param string $text If the text is empty the default "Name - Slogan<br>This is an automatically generated email" will be used */ public function addFooter($text = '') { if($text === '') { |