Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Partial fix for broken tokens in event confirmation email #31723

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Partial fix for broken tokens in event confirmation email #31723

wants to merge 1 commit into from

Conversation

MegaphoneJon
Copy link
Contributor

Overview

See https://lab.civicrm.org/dev/core/-/issues/5676.

Before

The email confirmation text gets curly braces within URLs converted to URL encoding, breaking tokens. This happens on a) the Manage Event » Online Registration tab, b) the Register Participant page, and c) the email itself.

After

a) and b) are fixed, because we can override getFieldsToExcludeFromPurification(). However, the email itself is purified in Civi\WorkflowMessage\GenericWorkflowMessage::getUserEnteredHTML(), which has no such bypass.

Comments

Given that this was the very field that let to getPurifiedDefaults() in the first place, I'm not sure we should be bypassing purification.

In fact, it seems like there's a potential security issue here if purification happens before the tokens are rendered.

@civibot civibot
Copy link

civibot bot commented Jan 7, 2025

🤖 Thank you for contributing to CiviCRM! ❤️ We will need to test and review this PR. 👷

Introduction for new contributors...
  • If this is your first PR, an admin will greenlight automated testing with the command ok to test or add to whitelist.
  • A series of tests will automatically run. You can see the results at the bottom of this page (if there are any problems, it will include a link to see what went wrong).
  • A demo site will be built where anyone can try out a version of CiviCRM that includes your changes.
  • If this process needs to be repeated, an admin will issue the command test this please to rerun tests and build a new demo site.
  • Before this PR can be merged, it needs to be reviewed. Please keep in mind that reviewers are volunteers, and their response time can vary from a few hours to a few weeks depending on their availability and their knowledge of this particular part of CiviCRM.
  • A great way to speed up this process is to "trade reviews" with someone - find an open PR that you feel able to review, and leave a comment like "I'm reviewing this now, could you please review mine?" (include a link to yours). You don't have to wait for a response to get started (and you don't have to stop at one!) the more you review, the faster this process goes for everyone 😄
  • To ensure that you are credited properly in the final release notes, please add yourself to contributor-key.yml
  • For more information about contributing, see CONTRIBUTING.md.
Quick links for reviewers...

➡️ Online demo of this PR 🔗

@civibot civibot bot added the master label Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MegaphoneJon