datatracker icon indicating copy to clipboard operation
datatracker copied to clipboard

Published 20 hours ago verified publisher icon ietf-tools

Subscription notification email contains bare HTML when RFC editor state becomes AUTH48

Open jennifer-richards opened this issue 5 months ago • 0 comments

Describe the issue

When a draft enters the draft-rfceditor state auth48, the state change event description is adjusted to create a link to the RFC Editor's auth48 page. That happens here

https://github.com/ietf-tools/datatracker/blob/cf21b8f23643cf33150c6760369efbf05c0fc91c/ietf/sync/rfceditor.py#L208

On the document history pages, that's great, but the notification sent to people watching that document renders the state in notification_email.txt here

https://github.com/ietf-tools/datatracker/blob/f8b48f4c43647e97e157067e7bf98158192d47d2/ietf/templates/community/notification_email.txt#L10-L12

The result is that a non-HTML email contains a lone HTML anchor tag, which is not rendered well by at least some mail clients. E.g., in thunderbird, the tag itself is ignored but the URL is detected and interpreted incorrectly, creating a bogus link:

image

To fix:

Option 1: stop stuffing HTML snippets into the event descriptions.

Option 2: filter the anchor tags out of the descriptions.

The textify filter converts <b>this is in bold</b> to *this is in bold* and similarly for <i>...</i>. It would be an obvious place to strip out anchor tags (and perhaps do a more thorough sanitization of HTML in the string). Before changing this, code and templates should be audited for other uses of the textify filter.

Code of Conduct

jennifer-richards avatar Sep 17 '24 14:09 jennifer-richards