Added query escaping to emails (#2867)

api/user.go

@@ -357,7 +357,7 @@ func sendWelcomeEmailAndForget(c *Context, userId string, email string, siteURL
 		bodyPage.Props["TeamURL"] = siteURL
 
 		if !verified {
-			link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), email)
+			link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), url.QueryEscape(email))
 			bodyPage.Props["VerifyUrl"] = link
 		}
 
@@ -409,7 +409,7 @@ func addDirectChannelsAndForget(teamId string, user *model.User) {
 func SendVerifyEmailAndForget(c *Context, userId, userEmail, siteURL string) {
 	go func() {
 
-		link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), userEmail)
+		link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), url.QueryEscape(userEmail))
 
 		subjectPage := utils.NewHTMLTemplate("verify_subject", c.Locale)
 		subjectPage.Props["Subject"] = c.T("api.templates.verify_subject",
@@ -1814,7 +1814,7 @@ func sendEmailChangeEmailAndForget(c *Context, oldEmail, newEmail, siteURL strin
 func SendEmailChangeVerifyEmailAndForget(c *Context, userId, newUserEmail, siteURL string) {
 	go func() {
 
-		link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), newUserEmail)
+		link := fmt.Sprintf("%s/do_verify_email?uid=%s&hid=%s&email=%s", siteURL, userId, model.HashPassword(userId), url.QueryEscape(newUserEmail))
 
 		subjectPage := utils.NewHTMLTemplate("email_change_verify_subject", c.Locale)
 		subjectPage.Props["Subject"] = c.T("api.templates.email_change_verify_subject",