Fixed sanitization of user invited emails for notification message (#1060)

no issue - Escaped email ids string sent to notification message during blog setup Credits: Antony Garand
2024-11-28 22:43:30 +03:00 · 2018-10-29 17:49:46 +05:30 · 2018-10-29 17:49:46 +05:30 · bd0fb88a52
commit bd0fb88a52
parent 3f7a036905
1 changed files with 2 additions and 1 deletions
--- a/ghost/admin/app/controllers/setup/three.js
+++ b/ghost/admin/app/controllers/setup/three.js
@ -1,6 +1,7 @@
 /* eslint-disable ghost/ember/alias-model-in-controller */
 import Controller, {inject as controller} from '@ember/controller';
 import DS from 'ember-data';
+import Ember from 'ember';
 import RSVP from 'rsvp';
 import validator from 'npm:validator';
 import {alias} from '@ember/object/computed';
@ -228,7 +229,7 @@ export default Controller.extend({
        if (erroredEmails.length > 0) {
            invitationsString = erroredEmails.length > 1 ? ' invitations: ' : ' invitation: ';
            message = `Failed to send ${erroredEmails.length} ${invitationsString}`;
-            message += erroredEmails.join(', ');
+            message += Ember.Handlebars.Utils.escapeExpression(erroredEmails.join(', '));
            message += '. Please check your email configuration, see <a href=\'https://docs.ghost.org/docs/mail-config\' target=\'_blank\'>https://docs.ghost.org/v1.0.0/docs/mail-config</a> for instructions';

            message = htmlSafe(message);