-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try to prevent autolinking of displaynames in activation emails by email readers #19169
Merged
zeripath
merged 3 commits into
go-gitea:main
from
zeripath:prevent-autolink-displayname
Mar 23, 2022
Merged
Try to prevent autolinking of displaynames in activation emails by email readers #19169
zeripath
merged 3 commits into
go-gitea:main
from
zeripath:prevent-autolink-displayname
Mar 23, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Unfortunately many email readers will (helpfully) detect url or url-like names and automatically create links to them, even in HTML emails. This is not ideal when usernames can have dots in them. This PR tries to prevent this behaviour by sticking ZWJ characters between dots and also set the meta tag to prevent format detection. Not every email template has been changed in this way - just the activation emails but it may be that we should be setting the above meta tag in all of our emails too. Signed-off-by: Andrew Thornton <art27@cantab.net>
Questions:
|
GiteaBot
added
the
lgtm/need 2
This PR needs two approvals by maintainers to be considered for merging.
label
Mar 22, 2022
wxiaoguang
approved these changes
Mar 22, 2022
GiteaBot
added
lgtm/need 1
This PR needs approval from one additional maintainer to be merged.
and removed
lgtm/need 2
This PR needs two approvals by maintainers to be considered for merging.
labels
Mar 22, 2022
lafriks
approved these changes
Mar 23, 2022
GiteaBot
added
lgtm/done
This PR has enough approvals to get merged. There are no important open reservations anymore.
and removed
lgtm/need 1
This PR needs approval from one additional maintainer to be merged.
labels
Mar 23, 2022
zeripath
added a commit
to zeripath/gitea
that referenced
this pull request
Mar 23, 2022
…#19169) Backport go-gitea#19169 Unfortunately many email readers will (helpfully) detect url or url-like names and automatically create links to them, even in HTML emails. This is not ideal when usernames can have dots in them. This PR tries to prevent this behaviour by sticking ZWJ characters between dots and also set the meta tag to prevent format detection. Not every email template has been changed in this way - just the activation emails but it may be that we should be setting the above meta tag in all of our emails too. Signed-off-by: Andrew Thornton <art27@cantab.net>
lafriks
pushed a commit
that referenced
this pull request
Mar 23, 2022
…19183) Backport #19169 Unfortunately many email readers will (helpfully) detect url or url-like names and automatically create links to them, even in HTML emails. This is not ideal when usernames can have dots in them. This PR tries to prevent this behaviour by sticking ZWJ characters between dots and also set the meta tag to prevent format detection. Not every email template has been changed in this way - just the activation emails but it may be that we should be setting the above meta tag in all of our emails too. Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath
added
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
backport/done
All backports for this PR have been created
labels
Mar 23, 2022
zeripath
added a commit
to zeripath/gitea
that referenced
this pull request
Mar 23, 2022
Unfortunately go-gitea#19169 causing a panic at startup in prod mode. This was hidden by dev mode because the templates are compiled dynamically there. The issue is that DotEscape is not in the original FuncMap at the time of compilation which causes a panic. Ref go-gitea#19169 Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath
added a commit
that referenced
this pull request
Mar 23, 2022
Unfortunately #19169 causing a panic at startup in prod mode. This was hidden by dev mode because the templates are compiled dynamically there. The issue is that DotEscape is not in the original FuncMap at the time of compilation which causes a panic. Ref #19169 Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath
added a commit
to zeripath/gitea
that referenced
this pull request
Mar 23, 2022
## [1.16.5](https://github.com/go-gitea/gitea/releases/tag/1.16.5) - 2022-03-23 * BREAKING * Bump to build with go1.18 (go-gitea#19120 et al) (go-gitea#19127) * SECURITY * Prevent redirect to Host (2) (go-gitea#19175) (go-gitea#19186) * Try to prevent autolinking of displaynames by email readers (go-gitea#19169) (go-gitea#19183) * Clean paths when looking in Storage (go-gitea#19124) (go-gitea#19179) * Do not send notification emails to inactive users (go-gitea#19131) (go-gitea#19139) * Do not send activation email if manual confirm is set (go-gitea#19119) (go-gitea#19122) * ENHANCEMENTS * Use the new/choose link for New Issue on project page (go-gitea#19172) (go-gitea#19176) * BUGFIXES * Fix compare link in active feeds for new branch (go-gitea#19149) (go-gitea#19185) * Redirect .wiki/* ui link to /wiki (go-gitea#18831) (go-gitea#19184) * Ensure deploy keys with write access can push (go-gitea#19010) (go-gitea#19182) * Ensure that setting.LocalURL always has a trailing slash (go-gitea#19171) (go-gitea#19177) * Cleanup protected branches when deleting users & teams (go-gitea#19158) (go-gitea#19174) * Use IterateBufferSize whilst querying repositories during adoption check (go-gitea#19140) (go-gitea#19160) * Fix NPE /repos/issues/search when not signed in (go-gitea#19154) (go-gitea#19155) * Use custom favicon when viewing static files if it exists (go-gitea#19130) (go-gitea#19152) * Fix the editor height in review box (go-gitea#19003) (go-gitea#19147) * Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (go-gitea#19028) (go-gitea#19146) * Fix wrong scopes caused by empty scope input (go-gitea#19029) (go-gitea#19145) * Make migrations SKIP_TLS_VERIFY apply to git too (go-gitea#19132) (go-gitea#19141) * Handle email address not exist (go-gitea#19089) (go-gitea#19121) * MISC * Update json-iterator to allow compilation with go1.18 (go-gitea#18644) (go-gitea#19100) * Update golang.org/x/crypto (go-gitea#19097) (go-gitea#19098) Signed-off-by: Andrew Thornton <art27@cantab.net>
Merged
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Mar 24, 2022
* giteaofficial/main: Bump minimist from 1.2.5 to 1.2.6 (go-gitea#19194) Changelog for 1.16.5 (go-gitea#19189) (go-gitea#19192) Fix showing issues in your repositories (go-gitea#18916) Update issue_no_dependencies description (go-gitea#19112) Prevent redirect to Host (2) (go-gitea#19175) Prevent start panic due to missing DotEscape function Fix compare link in active feeds for new branch (go-gitea#19149) Redirect .wiki/* ui link to /wiki (go-gitea#18831) Try to prevent autolinking of displaynames by email readers (go-gitea#19169) Update HTTP status codes to modern codes (go-gitea#18063)
Chianina
pushed a commit
to Chianina/gitea
that referenced
this pull request
Mar 28, 2022
…#19169) Unfortunately many email readers will (helpfully) detect url or url-like names and automatically create links to them, even in HTML emails. This is not ideal when usernames can have dots in them. This PR tries to prevent this behaviour by sticking ZWJ characters between dots and also set the meta tag to prevent format detection. Not every email template has been changed in this way - just the activation emails but it may be that we should be setting the above meta tag in all of our emails too. Signed-off-by: Andrew Thornton <art27@cantab.net>
Chianina
pushed a commit
to Chianina/gitea
that referenced
this pull request
Mar 28, 2022
Unfortunately go-gitea#19169 causing a panic at startup in prod mode. This was hidden by dev mode because the templates are compiled dynamically there. The issue is that DotEscape is not in the original FuncMap at the time of compilation which causes a panic. Ref go-gitea#19169 Signed-off-by: Andrew Thornton <art27@cantab.net>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
backport/done
All backports for this PR have been created
lgtm/done
This PR has enough approvals to get merged. There are no important open reservations anymore.
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
type/bug
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Unfortunately many email readers will (helpfully) detect url or url-like names and
automatically create links to them, even in HTML emails. This is not ideal when
usernames can have dots in them.
This PR tries to prevent this behaviour by sticking ZWJ characters between dots and
also set the meta tag to prevent format detection.
Not every email template has been changed in this way - just the activation emails but
it may be that we should be setting the above meta tag in all of our emails too.
Signed-off-by: Andrew Thornton art27@cantab.net