Commit 7b9da6d648662f0f3f0d30e4c574c477aebb35fa
Exists in
staging
and in
1 other branch
Merge branch 'master' into staging
Showing
3 changed files
with
12 additions
and
2 deletions
Show diff stats
app/helpers/email_template_helper.rb
@@ -6,7 +6,7 @@ module EmailTemplateHelper | @@ -6,7 +6,7 @@ module EmailTemplateHelper | ||
6 | params[:subject] = params[:email_template].parsed_subject(params[:template_params]) | 6 | params[:subject] = params[:email_template].parsed_subject(params[:template_params]) |
7 | params[:content_type] = "text/html" | 7 | params[:content_type] = "text/html" |
8 | end | 8 | end |
9 | - mail(params.except(:email_template)) | 9 | + mail(params.except(:email_template, :template_params)) |
10 | end | 10 | end |
11 | 11 | ||
12 | end | 12 | end |
app/views/account/_signup_form.html.erb
@@ -111,7 +111,7 @@ | @@ -111,7 +111,7 @@ | ||
111 | 111 | ||
112 | <% unless @terms_of_use.blank? %> | 112 | <% unless @terms_of_use.blank? %> |
113 | <div id='terms-of-use-box' class='formfieldline'> | 113 | <div id='terms-of-use-box' class='formfieldline'> |
114 | - <%= labelled_check_box(_('I accept the %s') % link_to(_('terms of use'), {:controller => 'home', :action => 'terms'}, :target => '_blank'), 'user[terms_accepted]') %> | 114 | + <%= labelled_check_box(_('I accept the %s').html_safe % link_to(_('terms of use'), {:controller => 'home', :action => 'terms'}, :target => '_blank'), 'user[terms_accepted]') %> |
115 | </div> | 115 | </div> |
116 | <% end %> | 116 | <% end %> |
117 | 117 |
test/unit/user_mailer_test.rb
@@ -44,6 +44,16 @@ fast_create(Person)) | @@ -44,6 +44,16 @@ fast_create(Person)) | ||
44 | assert_equal 'activation template body', mail.body.to_s | 44 | assert_equal 'activation template body', mail.body.to_s |
45 | end | 45 | end |
46 | 46 | ||
47 | + should 'not leak template params into activation email' do | ||
48 | + EmailTemplate.create!(:template_type => :user_activation, :name => 'template1', :subject => 'activation template subject', :body => 'activation template body', :owner => Environment.default) | ||
49 | + assert_difference 'ActionMailer::Base.deliveries.size' do | ||
50 | + u = create_user('some-user') | ||
51 | + UserMailer.activation_code(u).deliver | ||
52 | + end | ||
53 | + mail = ActionMailer::Base.deliveries.last | ||
54 | + assert_nil mail['template-params'] | ||
55 | + end | ||
56 | + | ||
47 | private | 57 | private |
48 | 58 | ||
49 | def read_fixture(action) | 59 | def read_fixture(action) |