diff --git a/app/views/workshop_invitation_mailer/attending.html.haml b/app/views/workshop_invitation_mailer/attending.html.haml
index 6ab2017fe..db4f2500e 100644
--- a/app/views/workshop_invitation_mailer/attending.html.haml
+++ b/app/views/workshop_invitation_mailer/attending.html.haml
@@ -40,7 +40,7 @@
- if @workshop.description.present?
%p{ style: 'margin-top: 10px;' }
%strong Description:
- = @workshop.description
+ = sanitize(@workshop.description)
.content
%table
diff --git a/app/views/workshop_invitation_mailer/attending_reminder.html.haml b/app/views/workshop_invitation_mailer/attending_reminder.html.haml
index d1be6de0e..70e2f4439 100644
--- a/app/views/workshop_invitation_mailer/attending_reminder.html.haml
+++ b/app/views/workshop_invitation_mailer/attending_reminder.html.haml
@@ -35,7 +35,7 @@
- if @workshop.description.present?
%p{ style: 'margin-top: 10px;' }
%strong Description:
- = @workshop.description
+ = sanitize(@workshop.description)
.content
%table
diff --git a/app/views/workshop_invitation_mailer/invite_coach.html.haml b/app/views/workshop_invitation_mailer/invite_coach.html.haml
index b44e2893f..f5f0659d3 100644
--- a/app/views/workshop_invitation_mailer/invite_coach.html.haml
+++ b/app/views/workshop_invitation_mailer/invite_coach.html.haml
@@ -41,7 +41,7 @@
- if @workshop.description.present?
%p{ style: 'margin-top: 15px;' }
%strong Description:
- = @workshop.description
+ = sanitize(@workshop.description)
%td{ width: '40%', style: 'vertical-align: top;'}
%h4
Venue
diff --git a/app/views/workshop_invitation_mailer/invite_student.html.haml b/app/views/workshop_invitation_mailer/invite_student.html.haml
index 9e850498f..50f6fe88b 100644
--- a/app/views/workshop_invitation_mailer/invite_student.html.haml
+++ b/app/views/workshop_invitation_mailer/invite_student.html.haml
@@ -38,7 +38,7 @@
- if @workshop.description.present?
%p{ style: 'margin-top: 15px;' }
%strong Description:
- = @workshop.description
+ = sanitize(@workshop.description)
%td{ width: '40%', style: 'vertical-align: top;'}
%h4
Venue
diff --git a/spec/mailers/virtual_workshop_invitation_mailer_spec.rb b/spec/mailers/virtual_workshop_invitation_mailer_spec.rb
index 6ef0b904f..f50e6fdef 100644
--- a/spec/mailers/virtual_workshop_invitation_mailer_spec.rb
+++ b/spec/mailers/virtual_workshop_invitation_mailer_spec.rb
@@ -71,14 +71,15 @@
expect(email.body.encoded).to match('Accept the invitation')
end
- it '#attending includes the workshop description' do
- description = "This is a test workshop description."
+ it '#attending renders workshop description as HTML, not escaped' do
+ description = 'Important notice: Please bring a laptop.'
workshop = Fabricate(:workshop, description: description)
invitation = Fabricate(:workshop_invitation, workshop: workshop, member: member)
WorkshopInvitationMailer.attending(workshop, member, invitation).deliver_now
- expect(email.body.encoded).to include(description)
+ expect(email.body.encoded).to include('Please bring a laptop.')
+ expect(email.body.encoded).not_to include('<strong>Important')
end
it '#invite_coach' do
diff --git a/spec/mailers/workshop_invitation_mailer_spec.rb b/spec/mailers/workshop_invitation_mailer_spec.rb
index e9decbfff..ba0241b8a 100644
--- a/spec/mailers/workshop_invitation_mailer_spec.rb
+++ b/spec/mailers/workshop_invitation_mailer_spec.rb
@@ -110,13 +110,14 @@
expect(email.body.encoded).to match(workshop.chapter.email)
end
- it '#attending includes the workshop description' do
- description = "This is a test workshop description."
+ it '#attending renders workshop description as HTML, not escaped' do
+ description = 'Important notice: Please bring a laptop.'
workshop = Fabricate(:workshop, description: description)
invitation = Fabricate(:workshop_invitation, workshop: workshop, member: member)
WorkshopInvitationMailer.attending(workshop, member, invitation).deliver_now
- expect(email.body.encoded).to include(description)
+ expect(email.body.encoded).to include('Please bring a laptop.')
+ expect(email.body.encoded).not_to include('<strong>Important')
end
end
diff --git a/spec/presenters/address_presenter_spec.rb b/spec/presenters/address_presenter_spec.rb
index 01d45ca4a..67a08fe69 100644
--- a/spec/presenters/address_presenter_spec.rb
+++ b/spec/presenters/address_presenter_spec.rb
@@ -4,7 +4,8 @@
describe '#to_html' do
it 'returns the address in HTML with lines separated with
tags' do
- html_address = "#{address.flat}
#{address.street}
#{address.city}, #{address.postal_code}"
+ escape = ERB::Util.method(:html_escape)
+ html_address = "#{escape.call(address.flat)}
#{escape.call(address.street)}
#{escape.call(address.city)}, #{escape.call(address.postal_code)}"
expect(presenter.to_html).to eq(html_address)
end