Disallow markup for RfC emails
This commit is contained in:
Sebastian Serth
@ -23,7 +23,7 @@ class UserMailer < ApplicationMailer
|
||||
token = AuthenticationToken.generate!(request_for_comment.user)
|
||||
@receiver_displayname = request_for_comment.user.displayname
|
||||
@commenting_user_displayname = commenting_user.displayname
|
||||
@comment_text = comment.text
|
||||
@comment_text = ERB::Util.html_escape comment.text
|
||||
@rfc_link = request_for_comment_url(request_for_comment, token: token.shared_secret)
|
||||
mail(
|
||||
subject: t('mailers.user_mailer.got_new_comment.subject',
|
||||
@ -35,7 +35,7 @@ class UserMailer < ApplicationMailer
|
||||
token = AuthenticationToken.generate!(subscription.user)
|
||||
@receiver_displayname = subscription.user.displayname
|
||||
@author_displayname = from_user.displayname
|
||||
@comment_text = comment.text
|
||||
@comment_text = ERB::Util.html_escape comment.text
|
||||
@rfc_link = request_for_comment_url(subscription.request_for_comment, token: token.shared_secret)
|
||||
@unsubscribe_link = unsubscribe_subscription_url(subscription)
|
||||
mail(
|
||||
@ -48,7 +48,7 @@ class UserMailer < ApplicationMailer
|
||||
token = AuthenticationToken.generate!(receiver)
|
||||
@receiver_displayname = receiver.displayname
|
||||
@author = request_for_comment.user.displayname
|
||||
@thank_you_note = request_for_comment.thank_you_note
|
||||
@thank_you_note = ERB::Util.html_escape request_for_comment.thank_you_note
|
||||
@rfc_link = request_for_comment_url(request_for_comment, token: token.shared_secret)
|
||||
mail(subject: t('mailers.user_mailer.send_thank_you_note.subject', author: @author), to: receiver.email)
|
||||
end
|
||||
|
||||
@ -93,6 +93,25 @@ describe UserMailer do
|
||||
# A five minute tolerance is allowed to account for the time difference between `now` and the creation timestamp of the token.
|
||||
expect(token.expire_at - Time.zone.now).to be_within(5.minutes).of(7.days)
|
||||
end
|
||||
|
||||
it 'sets the correct comment' do
|
||||
expect(mail.body).to include(request_for_comment.comments.first.text)
|
||||
end
|
||||
|
||||
context 'with an HTML comment' do
|
||||
let(:html_comment) { '<b>test</b>' }
|
||||
let(:escaped_comment) { '<b>test</b>' }
|
||||
|
||||
before { request_for_comment.comments.first.update(text: html_comment) }
|
||||
|
||||
it 'does not include the HTML tags' do
|
||||
expect(mail.body).not_to include(html_comment)
|
||||
end
|
||||
|
||||
it 'includes escaped HTML tags' do
|
||||
expect(mail.body).to include(escaped_comment)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#got_new_comment_for_subscription' do
|
||||
@ -128,21 +147,41 @@ describe UserMailer do
|
||||
# A five minute tolerance is allowed to account for the time difference between `now` and the creation timestamp of the token.
|
||||
expect(token.expire_at - Time.zone.now).to be_within(5.minutes).of(7.days)
|
||||
end
|
||||
|
||||
|
||||
it 'sets the correct comment' do
|
||||
expect(mail.body).to include(request_for_comment.comments.first.text)
|
||||
end
|
||||
|
||||
context 'with an HTML comment' do
|
||||
let(:html_comment) { '<b>test</b>' }
|
||||
let(:escaped_comment) { '<b>test</b>' }
|
||||
|
||||
before { request_for_comment.comments.first.update(text: html_comment) }
|
||||
|
||||
it 'does not include the HTML tags' do
|
||||
expect(mail.body).not_to include(html_comment)
|
||||
end
|
||||
|
||||
it 'includes escaped HTML tags' do
|
||||
expect(mail.body).to include(escaped_comment)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#send_thank_you_note' do
|
||||
let(:user) { create(:learner) }
|
||||
let(:receiver) { create(:teacher) }
|
||||
let(:token) { AuthenticationToken.find_by(user: receiver) }
|
||||
let(:request_for_comments) { create(:rfc_with_comment, user: user) }
|
||||
let(:mail) { described_class.send_thank_you_note(request_for_comments, receiver).deliver_now }
|
||||
let(:request_for_comment) { create(:rfc_with_comment, user: user) }
|
||||
let(:mail) { described_class.send_thank_you_note(request_for_comment, receiver).deliver_now }
|
||||
|
||||
it 'sets the correct sender' do
|
||||
expect(mail.from).to include('codeocean@hpi.de')
|
||||
end
|
||||
|
||||
it 'sets the correct subject' do
|
||||
expect(mail.subject).to eq(I18n.t('mailers.user_mailer.send_thank_you_note.subject', author: request_for_comments.user.displayname))
|
||||
expect(mail.subject).to eq(I18n.t('mailers.user_mailer.send_thank_you_note.subject', author: request_for_comment.user.displayname))
|
||||
end
|
||||
|
||||
it 'sets the correct receiver' do
|
||||
@ -150,7 +189,7 @@ describe UserMailer do
|
||||
end
|
||||
|
||||
it 'includes the correct URL' do
|
||||
expect(mail.body).to include(request_for_comment_url(request_for_comments, token: token.shared_secret))
|
||||
expect(mail.body).to include(request_for_comment_url(request_for_comment, token: token.shared_secret))
|
||||
end
|
||||
|
||||
it 'creates a new authentication token' do
|
||||
@ -162,5 +201,25 @@ describe UserMailer do
|
||||
# A five minute tolerance is allowed to account for the time difference between `now` and the creation timestamp of the token.
|
||||
expect(token.expire_at - Time.zone.now).to be_within(5.minutes).of(7.days)
|
||||
end
|
||||
|
||||
|
||||
it 'sets the correct thank_you_note' do
|
||||
expect(mail.body).to include(request_for_comment.thank_you_note)
|
||||
end
|
||||
|
||||
context 'with an HTML comment' do
|
||||
let(:html_comment) { '<b>test</b>' }
|
||||
let(:escaped_comment) { '<b>test</b>' }
|
||||
|
||||
before { request_for_comment.update(thank_you_note: html_comment) }
|
||||
|
||||
it 'does not include the HTML tags' do
|
||||
expect(mail.body).not_to include(html_comment)
|
||||
end
|
||||
|
||||
it 'includes escaped HTML tags' do
|
||||
expect(mail.body).to include(escaped_comment)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user