FIX: Mark invites flash messages as HTML safe. (PR #15539)

Context: Html tags are explicit after latest update - bug - Discourse Meta

GitHub

Did you take into consideration notes from the dev topic (/t/56719)? :smiley: i.e. are you positive it’s safe?

Did you take into consideration notes from the dev topic (/t/56719)? :smiley: i.e. are you positive it’s safe?

Yep Im wondering the same, given it can be generated from errors/warnings… is there no way you can craft something so contain valid html in the error generated?

Wasn’t aware of that. :sweat_smile:

I’ll make sure it’s safe first.

I want a fix merged prior to release, but we need 100% guarantee on safety here, I would like 2 PR approvals here please.

@SamSaffron - I’m thinking of using the rails HTML sanitizer to sanitize the user input before sending the error back to the client. We already do this for translations and other inputs. We can use this to forbid any HTML since they’re either email addresses or domains.

I’ll update the PR and ask for a review before EOW.

This pull request has been mentioned on Discourse Meta. There might be relevant details there:

Alright, I looked at all the invite validation errors containing user input and sanitized them before sending them back to the client. This should be ready for review now.