alaveteli
alaveteli copied to clipboard
mysociety
Encoding issues with user and body names
Users with names containing an apostrophe have their names displayed with an encoding error in a number of circumstances including the listing on /admin/users and in the draft messages used when an admin hides a request.
There are user facing issues too, and encoded strings are ending up in correspondence, as noted at:
https://github.com/mysociety/alaveteli-professional/issues/549
(I thought this issue should be tracked publicly as well as where it impacts Pro users)
Similar issue to https://github.com/mysociety/alaveteli-professional/issues/549
Reopening following a user report of an issue occurring when being prompted to sign in to send a follow-up message to the Information Commissioner's Office.
See screenshot:
Reopening following a user report of an issue occurring when being prompted to sign in to send a follow-up message to the Information Commissioner's Office.
See screenshot:
This issue appears to be occurring because the authority_name in the web parameter passed from followups_controller.rb to ask_to_login (application_controller.rb) are not html safe. A fix, modelled off https://github.com/mysociety/alaveteli/pull/4807, should be fairly easy.
Example:
PostRedirect Create (2.1ms) INSERT INTO "post_redirects" ("token", "uri", "post_params_yaml", "created_at", "updated_at", "email_token", "reason_params_yaml") VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING "id" [["token", "lir1ci3sf16tgyn9dz0"], ["uri", "/request/118/followups/new/32"], ["post_params_yaml", "--- !ruby/object:ActionController::Parameters\nparameters: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n controller: followups\n action: new\n request_id: '118'\n incoming_message_id: '32'\npermitted: false\n"], ["created_at", "2022-07-23 16:25:21.391941"], ["updated_at", "2022-07-23 16:25:21.391941"], ["email_token", "e3ein3t7nw9ciluqz2y"], ["reason_params_yaml", "---\n:web: To send a follow up message to Information Commissioner's Office\n:email: Then you can write follow up message to Information Commissioner's Office.\n:email_subject: Write your FOI follow up message to Information Commissioner's\n Office\n:user_name: Joe Admin\n:user_url: [redacted]/user/joe_admin\n"]]
Fix: change info_request.public_body.name to info_request.public_body.name.html_safe in followups_controller.rb.
Rectified output:
PostRedirect Create (0.7ms) INSERT INTO "post_redirects" ("token", "uri", "post_params_yaml", "created_at", "updated_at", "email_token", "reason_params_yaml") VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING "id" [["token", "cydi3si43p66xmft587"], ["uri", "/request/118/followups/new/32"], ["post_params_yaml", "--- !ruby/object:ActionController::Parameters\nparameters: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n controller: followups\n action: new\n request_id: '118'\n incoming_message_id: '32'\npermitted: false\n"], ["created_at", "2022-07-23 17:45:07.169448"], ["updated_at", "2022-07-23 17:45:07.169448"], ["email_token", "fz53xxu39vsfxtgw8p5"], ["reason_params_yaml", "---\n:web: To send a follow up message to Information Commissioner's Office\n:email: Then you can write follow up message to Information Commissioner's Office.\n:email_subject: Write your FOI follow up message to Information Commissioner's Office\n:user_name: Joe Admin\n:user_url: [redacted]/user/joe_admin\n"]]
Issue noted today with the confirmation email for a user-user message.
Encoded apostrophises were present in the user's name in the subject and body of the message.
Message in question:
Please click on the link below to confirm your email address. Then you can send a message to....