[PHPBB3-13223] Using get_username_string() for email template variables causes HTML markup in emails

Details

Type: Bug
Status: Unverified Fix
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.1.0-RC6
Fix Version/s: 3.1.0
Component/s: Notification System
Labels:
None

GitHub Pull Request URL:
https://github.com/phpbb/phpbb/pull/3072

Description

Support topic: https://www.phpbb.com/community/viewtopic.php?f=466&t=2268416

admin_activate_user.php notification type is assigning usernames to email template variables using user_loader->get_username() in 'no_profile' mode, which in its turn calls get_username_string() function in 'no_profile' mode. This causes HTML markup in emails for username colour, like

<span class="username">XXXXXX</span>

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Joas Schilling added a comment - 26/Oct/14 5:27 PM

Should use username instead?

Show

Joas Schilling added a comment - 26/Oct/14 5:27 PM Should use username instead?

Hide

Permalink

Ruslan Uzdenov added a comment - 26/Oct/14 5:32 PM

Yeah. Preparing PR right now.

Show

Ruslan Uzdenov added a comment - 26/Oct/14 5:32 PM Yeah. Preparing PR right now.

Hide

Permalink

Ruslan Uzdenov added a comment - 26/Oct/14 5:39 PM

Listed through notification types and it seems admin_activate_user.php is the only having this issue with emails.

Show

Ruslan Uzdenov added a comment - 26/Oct/14 5:39 PM Listed through notification types and it seems admin_activate_user.php is the only having this issue with emails.

Hide

Permalink

Melvin García added a comment - 26/Oct/14 5:47 PM

@Ruelan Uzdenov, this same variable is 2 lines in that file.

112 - $username = $this->user_loader->get_username($this->item_id, 'no_profile');
131 - $username = $this->user_loader->get_username($this->item_id, 'no_profile');

Show

Melvin García added a comment - 26/Oct/14 5:47 PM @Ruelan Uzdenov, this same variable is 2 lines in that file. 112 - $username = $this->user_loader->get_username($this->item_id, 'no_profile'); 131 - $username = $this->user_loader->get_username($this->item_id, 'no_profile');

Hide

Permalink

Ruslan Uzdenov added a comment - 26/Oct/14 6:05 PM - edited

@Melvin Garcia
The problem is only the one in public function get_email_template_variables() which sends the value to email template
Another one is in public function get_title() which is ok as it creates notification title for the board.

Show

Ruslan Uzdenov added a comment - 26/Oct/14 6:05 PM - edited @Melvin Garcia The problem is only the one in public function get_email_template_variables() which sends the value to email template Another one is in public function get_title() which is ok as it creates notification title for the board.

Hide

Permalink

Melvin García added a comment - 26/Oct/14 6:19 PM

Ohhh, thanks

Show

Melvin García added a comment - 26/Oct/14 6:19 PM Ohhh, thanks

People

Assignee:

Nils Adermann

Reporter:

Ruslan Uzdenov

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

26/Oct/14 5:25 PM

Updated:

26/Oct/14 7:51 PM

Resolved:

26/Oct/14 7:50 PM

Details

Description

Activity

People

Dates

Development