fix: sanitize workshop description in invitation emails#2676
Open
mroderick wants to merge 2 commits into
Open
Conversation
… spec The test constructs an expected string from Faker-generated city names, which can contain apostrophes (e.g. O'Connerstad). ERB::Util.html_escape escapes ' to ', but the expected value used raw characters, making the test pass or fail depending on which random city Faker returns. Wrap each component in ERB::Util.html_escape to match the presenter's behaviour, eliminating the flake.
mroderick
force-pushed
the
fix/sanitize-description-in-emails
branch
from
cce5094 to
1a1a938
Compare
Mailer views rendered @workshop.description with HAML's default escaped output (=), which HTML-escapes any HTML in the description. Many chapters use HTML tags (<strong>, <p>, <b>) in descriptions, and Norwich organisers paste full HTML documents (including doctype) into the field — all of which appeared as escaped text in emails. Render with sanitize() instead, matching the web views. Includes a test guard: description with HTML tags asserts the tags are rendered, not escaped. Also fixes the address presenter spec which was flaky on Ruby 3.4+ where ERB::Util.html_escape escapes apostrophes — used deterministic address values instead.
mroderick
force-pushed
the
fix/sanitize-description-in-emails
branch
from
1a1a938 to
d1e6c13
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is branched from #2674 to inherit its fix for the flaky tests. Please review and merge that one first, then rebase this one.
Problem
Norwich chapter organisers reported that workshop invitation emails contain escaped HTML, including
<!DOCTYPE html>. The email shows raw HTML source like<!DOCTYPE html><html>...instead of rendered content.Root Cause
Two things combined:
Data: Norwich organisers have been pasting full HTML documents (
<!DOCTYPE html>...) into theworkshops.descriptionfield via the admin form. This started April 2026 — all 5 subsequent Norwich workshops (IDs 3687, 3688, 3735, 3736, 3761) contain full<html>documents in their descriptions. Thedescriptioncolumn istextwith no format validation.Rendering mismatch: The mailer views render the description with HAML's default escaped output (
=), which HTML-escapes the entire value. On the web, the description is rendered withsanitize()(allows safe HTML through). Other chapters also use HTML tags like<strong>,<p>,<b>in descriptions (278 workshops across all chapters contain HTML-like content), which were also being escaped in emails.The description was added to invitation emails in commit
47c7a900(Aug 2025, "feat: add description to invitation emails") and has always used escaped rendering — this isn't a regression, just the first time a chapter pasted a full document.Change
Wrap
@workshop.descriptionwithsanitize()in all four mailer templates, matching how the web views render it:app/views/workshop_invitation_mailer/invite_student.html.hamlapp/views/workshop_invitation_mailer/invite_coach.html.hamlapp/views/workshop_invitation_mailer/attending.html.hamlapp/views/workshop_invitation_mailer/attending_reminder.html.hamlTesting
Updated both
#attending renders workshop description as HTML, not escapedtests to use HTML content in the description and assert the tags are rendered, not escaped — they would catch a revert back to=.27 examples, 0 failures