Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem 1: if you use string translation to translate the email notification text then the call to i18n_string_translate() will sanitize it. That's bad because it breaks links in HTML email for example. If there is no translation applied then we also don't sanitize the text, so this should be fine.
On the other hand we should sanitize the tokens that are used in the mail, especially [privatemsg_message:body] if that is used.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | privatemsg-email-sanitize-2457813-2.patch | 1.8 KB | klausi |
Comments
Comment #1
klausiPatch attached.
Comment #2
klausiArgl, forgot the actual mail text function.
Comment #3
ptmkenny CreditAttribution: ptmkenny commentedChanging status to re-queue the test; for some reason, it looks like the test got postponed.
Comment #4
ptmkenny CreditAttribution: ptmkenny commentedComment #6
gunwald CreditAttribution: gunwald commentedIn my humble opinion this is not the way to go: Translated mail notifications should absolutely be sanitized! But you should not use the string translation interface to translate the message text. Instead the module has to be patched to make the drupal variables, which are used to store the text of the notifications messages, translatable with i18n.
See this issue.
You find a patch there to make the variables translatable, please test it against the dev.
Comment #7
Triumphent CreditAttribution: Triumphent commented@gunwald: The patch link doesn't work.
Comment #8
ivnish CreditAttribution: ivnish commented