Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

escape HTML in subject and other fields - closes #46

  • Loading branch information...
commit 5415538888238b58b50d028ca10100116c389f05 1 parent 8a0705c
@ryanb authored
View
2  CHANGELOG.md
@@ -1,5 +1,7 @@
## Unreleased ##
+ * Escape HTML in subject and other fields
+ * Raise an exception if the :location option is not present instead of using a default
* Open rich version by default (thanks Damir)
* Override margin on dt and dd elements in CSS (thanks Edgars Beigarts)
* Autolink URLs in plain version (thanks Matt Burke)
View
14 lib/letter_opener/message.html.erb
@@ -51,32 +51,32 @@
<div id="message_headers">
<dl>
<dt>From:</dt>
- <dd><%= from %></dd>
+ <dd><%= h from %></dd>
<% unless reply_to.empty? %>
<dt>Reply-To:</dt>
- <dd><%= reply_to %></dd>
+ <dd><%= h reply_to %></dd>
<% end %>
<dt>Subject:</dt>
- <dd><strong><%= mail.subject %></strong></dd>
+ <dd><strong><%= h mail.subject %></strong></dd>
<dt>Date:</dt>
<dd><%= Time.now.strftime("%b %e, %Y %I:%M:%S %p %Z") %></dd>
<% unless to.empty? %>
<dt>To:</dt>
- <dd><%= to %></dd>
+ <dd><%= h to %></dd>
<% end %>
<% if mail.cc %>
<dt>CC:</dt>
- <dd><%= mail.cc.join(", ") %></dd>
+ <dd><%= h mail.cc.join(", ") %></dd>
<% end %>
<% if mail.bcc %>
<dt>BCC:</dt>
- <dd><%= mail.bcc.join(", ") %></dd>
+ <dd><%= h mail.bcc.join(", ") %></dd>
<% end %>
</dl>
@@ -92,7 +92,7 @@
</div>
<% if type == "plain" %>
- <pre id="message_body"><%= auto_link(CGI.escapeHTML(body)) %></pre>
+ <pre id="message_body"><%= auto_link(h(body)) %></pre>
<% else %>
<%= body %>
<% end %>
View
4 lib/letter_opener/message.rb
@@ -64,6 +64,10 @@ def auto_link(text)
end
end
+ def h(content)
+ CGI.escapeHTML(content)
+ end
+
def <=>(other)
order = %w[rich plain]
order.index(type) <=> order.index(other.type)
View
6 spec/letter_opener/delivery_method_spec.rb
@@ -70,7 +70,7 @@
Mail.deliver do
from 'foo@example.com'
to 'bar@example.com'
- subject 'Many parts'
+ subject 'Many parts with <html>'
text_part do
body 'This is <plain> text'
end
@@ -100,6 +100,10 @@
it 'saves html part' do
rich.should include("<h1>This is HTML</h1>")
end
+
+ it 'saves escaped Subject field' do
+ plain.should include("Many parts with &lt;html&gt;")
+ end
end
end
Please sign in to comment.
Something went wrong with that request. Please try again.