SECURITY: ERB execution in custom Email Style

2025-02-25 18:55:32 -06:00 · 2020-05-21 14:26:03 -04:00
parent 5a71c51ddd
commit d11c462104
3 changed files with 113 additions and 103 deletions
--- a/app/helpers/email_helper.rb
+++ b/app/helpers/email_helper.rb
@@ -25,12 +25,8 @@ module EmailHelper
    raw "<a href='#{Discourse.base_url}#{url}' style='color: ##{@anchor_color}'>#{title}</a>"
  end

-  def email_html_template(binding_arg)
-    template = EmailStyle.new.html.sub(
-      '%{email_content}',
-      '<%= yield %><% if defined?(html_body) %><%= html_body %><% end %>'
-    )
-    ERB.new(template).result(binding_arg)
+  def email_html_template
+    EmailStyle.new.html.sub('%{email_content}', yield).html_safe
  end

  protected