[#43981] - [4.4] Escape unsafe tags in mail copy to sender and notification to admin and don't escape custom email fields
- Fixed in Code Base
- 26 Aug 2024
- Medium
- Build: 4.4-dev
- # 43981
- Diff
- richard67:4.4-dev-fix-mail-templates-2024-08-25
User tests: Successful: Unsuccessful:
Pull Request for Issue #43971 .
Alternative to PR #43978 .
Summary of Changes
This pull request (PR) removes the customfields mail templates tag from the unsafe tags to be escaped (part 1 of issue #43971 ).
Furthermore, it adds missing escaping of the remaining unsafe tags for the copy sent to the sender of email sent with a contact form (part 2 of issue #43971 ).
Finally, it fixes a similar issue as part 2 for user registration: In the email to the user, the unsafe mail template tags {...} are escaped, but in the notification mails sent out to all superadmins (i.e. users with user creating permissions and receiving system emails) they are not escaped.
The last 2 changes are the same as in PR #43978 , i.e. this PR here is equal to that PR plus the first change.
Testing Instructions
In principle this PR could be checked by code review.
But if you want to do real tests, follow the instructions below.
Code review
-
In file components/com_contact/src/Controller/ContactController.php in line 274 just before the
$mailer->sendcall the unsafe tags are added:
$mailer->addUnsafeTags(['name', 'email', 'body', 'customfields']);
This PR removes the'customfields'from that call.
Then a few lines below a new mailer is used for sending the copy. The mailer uses the same template, so the same unsafe tags should be added before line 283 with the$mailer->sendcall for the copy. That's currently missing. This PR adds that. -
In file components/com_users/src/Model/RegistrationModel.php in line 511 just before the
$mailer->sendcall the unsafe tags are added:
$mailer->addUnsafeTags(['username', 'password_clear', 'name']);
Later below for the notification mail to the admins, unsafe tags should be added before line 558, but they are currently missing.
Because for that email a different mail template is used which does not use the{password_clear}tag, the line should be:
$mailer->addUnsafeTags(['username', 'name']);
This PR adds that.
Test 1: Custom email fields with HTML layout override
See issue #43971 , section "Steps to reproduce the issue":
Use the com_contact component and create a custom field for the email type. Create an override for that email field to format the output in the HTML mail:
/template/html/layouts/com_fields/field/myfieldoverride.php
Code example:
<p class="myfield">
<span class="label"><?php echo htmlentities($label, ENT_QUOTES | ENT_IGNORE, 'UTF-8'); ?>:</span>
<span class="value"><?php echo $value; ?></span>
</p>
Create a contact linked to a user and a single contact menu item for that contact, and make sure that the previously created custom email field is shown in the contact form and can be entered/changed there.
Go to the contact menu item on the site and send an email with the contact form, having entered a valid email address for the sender and the "Send a copy to yourself" check box checked.
Check the email to the recipient in an email client.
Test 2: Contact form email copy to sender
Prepare in the same way as for test 1.
Enable the "Send Copy to Submitter" option in the mail options of the menu item.
Go to the menu item on the site and send an email with the contact form, having entered a valid email address for the sender and the "Send a copy to yourself" check box checked.
Check the email copy to the sender in your email client.
Test 3: Notification email copy to superadmins on user registration
Enable user registration on your site.
Make sure you (superadmin) get notification emails.
Register a new user on the site.
Check the notification email for you (superadmin) in your email client.
Actual result BEFORE applying this Pull Request
Test 1: Custom email fields with HTML layout override
The custom field is escaped in the email to the recipient.
Test 2: Contact form email copy to sender
The custom field is not escaped in the email copy to the sender.
Test 3: Notification email copy to superadmins on user registration
Works as expected.
Expected result AFTER applying this Pull Request
Test 1: Custom email fields with HTML layout override
The custom field is not escaped in the email to the recipient.
Test 2: Contact form email copy to sender
Still works as expected. The custom field is still not escaped in the email copy to the sender.
Test 3: Notification email copy to superadmins on user registration
Still works as expected.
Link to documentations
Please select:
-
No documentation changes for docs.joomla.org needed
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_contact com_users |
| Labels |
Added:
bug
PR-4.4-dev
|
||
| Labels |
Added:
Release Blocker
|
||
I have tested this item ✅ successfully on 6815bff
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43981.
I have tested this item ✅ successfully on 6815bff
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43981.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43981.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-08-26 13:18:31 |
| Closed_By | ⇒ | MacJoom | |
| Labels |
Added:
RTC
|
||
Thank you for the fix!
I have tested this item ✅ successfully on df30f7c
Works like expected .-), Thanks
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43981.