agw/overleaf-cep
1
0
Fork 0
mirror of https://github.com/yu-i-i/overleaf-cep.git synced 2026-06-02 21:59:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #28596 from overleaf/oa-possessive-s

Browse Source 
[web] Unescaping possessive s and ampersand for Email subjects

GitOrigin-RevId: 8ba0fd509c8b6bd2a3eec13adf10f13b0bdb6aca
This commit is contained in:
Olzhas Askar
2025-09-22 16:00:52 +02:00
committed by Copybot
parent d33caaee53
commit db7bd82158
2 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/web/app/src/Features/Email/EmailBuilder.js
+1 -3
View File
@@ -280,9 +280,7 @@ templates.projectInvite = ctaTemplate({
const safeEmail = SpamSafe.isSafeEmail(opts.owner.email)
if (safeName && safeEmail) {
return `"${_.escape(opts.project.name)}" — shared by ${_.escape(
opts.owner.email
)}`
return `"${opts.project.name}" — shared by ${_.escape(opts.owner.email)}`
}
if (safeName) {
return `${settings.appName} project shared with you — "${_.escape(
services/web/test/unit/src/Email/EmailBuilderTests.js
+25
View File
@@ -62,6 +62,31 @@ describe('EmailBuilder', function () {
})
})
describe('when dealing with escaping', function () {
it("should not show possessive 's as '", function () {
this.opts.project.name = "Aktöbe's project"
this.email = this.EmailBuilder.buildEmail('projectInvite', this.opts)
expect(this.email.subject).to.not.contain(''')
expect(this.email.subject).to.contain(this.opts.project.name)
})
it('should not show an ampersand as &', function () {
this.opts.project.name = 'Aktöbe & Almaty project'
this.email = this.EmailBuilder.buildEmail('projectInvite', this.opts)
expect(this.email.subject).to.not.contain('&')
expect(this.email.subject).to.contain(this.opts.project.name)
})
it('should prevent dangerous characters as project names', function () {
const characters = ['""', '<>', '//']
for (const pair of characters) {
this.opts.project.name = `${pair} project`
this.email = this.EmailBuilder.buildEmail('projectInvite', this.opts)
expect(this.email.subject).to.not.contain(pair)
}
})
})
describe('when someone is up to no good', function () {
it('should not contain the project name at all if unsafe', function () {
this.opts.project.name = "<img src='http://evilsite.com/evil.php'>"