SECURITY: Properly escape user input when generating email HTML (#455)

.discourse-compatibility

@@ -1,4 +1,3 @@
-3.1.999: afc2ee684de41601d6cecc46713d139760f176a6
 3.1.0.beta3: 10077ca904956005f9fa83c3d9fb124b59e8c47b
 2.9.0.beta13: b4c366b35d6f9778e54a878aa083348e8a45e86e
 2.9.0.beta9: 6f16ae10dc0306d6e1369e0d1414416d7e72141d

plugin.rb

@@ -429,8 +429,8 @@ module ::DiscoursePostEvent
           event_name = event_node["data-name"] || post.topic.title
           event_node.replace <<~TXT
           <div style='border:1px solid #dedede'>
-            <p><a href="#{Discourse.base_url}#{post.url}">#{event_name}</a></p>
-            <p>#{dates}</p>
+            <p><a href="#{Discourse.base_url}#{post.url}">#{CGI.escape_html(event_name)}</a></p>
+            <p>#{CGI.escape_html(dates)}</p>
           </div>
         TXT
         end

spec/lib/discourse_post_event/pretty_text_spec.rb

@@ -30,6 +30,9 @@
 
       context "when the event has a name" do
         let(:post_1) { create_post_with_event(user_1, 'name="Pancakes event"') }
+        let(:post_2) do
+          create_post_with_event(user_1, 'name="Pancakes event <a>with html chars</a>"')
+        end
 
         it "displays the event name" do
           cooked = PrettyText.cook(post_1.raw)
@@ -41,6 +44,17 @@
             </div>
           HTML
         end
+
+        it "properly escapes title" do
+          cooked = PrettyText.cook(post_2.raw)
+
+          expect(PrettyText.format_for_email(cooked, post_2)).to match_html(<<~HTML)
+            <div style='border:1px solid #dedede'>
+              <p><a href="#{Discourse.base_url}#{post_2.url}">Pancakes event &lt;a&gt;with html chars&lt;/a&gt;</a></p>
+              <p>2018-06-05T18:39:50.000Z (UTC)</p>
+            </div>
+          HTML
+        end
       end
 
       context "when the event has an end date" do