Merge pull request #531 from edegaudenzi/feature/530_welcome_email_re…

…ported_password_is_not_html_encoded #530 Welcome email: reported Password is now HTML-encoded
2amigos · Jan 4, 2024 · aa8cd06 · aa8cd06
2 parents c6148fb + 7e01f45
commit aa8cd06
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Enh: possibility to limit the depth of the recursion when getting user ids from roles (mp1509)
 - Fix: UserSearch avoid fields name conflict if joined with other tables (liviuk2)
 - Fix: PasswordExpireService return false when user model attribute "password_changed_at" is already set at null.
+- Fix #530: Welcome email: reported Password is now HTML-encoded
 
 ## 1.6.1 March 4th, 2023
 

diff --git a/src/User/resources/views/mail/welcome.php b/src/User/resources/views/mail/welcome.php
@@ -27,7 +27,7 @@
 <p style="font-family: 'Helvetica Neue', 'Helvetica', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 1.6; font-weight: normal; margin: 0 0 10px; padding: 0;">
     <?= Yii::t('usuario', 'Your account on {0} has been created', Yii::$app->name) ?>.
     <?php if ($showPassword || $module->generatePasswords): ?>
-        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= $user->password ?></strong>
+        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= Html::encode($user->password) ?></strong>
     <?php endif ?>
     <?php if ($module->allowPasswordRecovery): ?>
         <?= Yii::t('usuario', 'If you haven\'t received a password, you can reset it at') ?>: <strong><?= Html::a(Html::encode(Url::to(['/user/recovery/request'], true)), Url::to(['/user/recovery/request'], true)) ?></strong>