From e4b744362b33b78e9b3031498bdddf64052bf70f Mon Sep 17 00:00:00 2001 From: David Lu Date: Tue, 3 May 2016 13:06:43 -0400 Subject: Added query escaping to emails (#2867) --- api/user.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'api') diff --git a/api/user.go b/api/user.go index abd34fcab..d8e2e6623 100644 --- a/api/user.go +++ b/api/user.go @@ -357,7 +357,7 @@ func sendWelcomeEmailAndForget(c *Context, userId string, email string, siteURL bodyPage.Props["TeamURL"] = siteURL if !verified { - link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), email) + link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), url.QueryEscape(email)) bodyPage.Props["VerifyUrl"] = link } @@ -409,7 +409,7 @@ func addDirectChannelsAndForget(teamId string, user *model.User) { func SendVerifyEmailAndForget(c *Context, userId, userEmail, siteURL string) { go func() { - link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), userEmail) + link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), url.QueryEscape(userEmail)) subjectPage := utils.NewHTMLTemplate("verify_subject", c.Locale) subjectPage.Props["Subject"] = c.T("api.templates.verify_subject", @@ -1814,7 +1814,7 @@ func sendEmailChangeEmailAndForget(c *Context, oldEmail, newEmail, siteURL strin func SendEmailChangeVerifyEmailAndForget(c *Context, userId, newUserEmail, siteURL string) { go func() { - link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), newUserEmail) + link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), url.QueryEscape(newUserEmail)) subjectPage := utils.NewHTMLTemplate("email_change_verify_subject", c.Locale) subjectPage.Props["Subject"] = c.T("api.templates.email_change_verify_subject", -- cgit v1.2.3-1-g7c22