Subject lines are not HTML-escaped

ryanb / letter_opener

Preview mail in the browser instead of sending.

MIT License

3.73k stars 238 forks source link

Closed paulschreiber closed 12 years ago

paulschreiber commented 12 years ago

Subject lines are not HTML-escaped. If your subject line is

Hello <world>

You will see:

Hello

Here's the HTML letter_opener generates:

<dt>Subject:</dt>
<dd><strong>Hello <world></strong></dd>

paulschreiber commented 12 years ago

Looks like this is an easy fix in the erb:

<dt>Subject:</dt>
<dd><strong><%= mail.subject %></strong></dd>

Change to:

<dt>Subject:</dt>
<dd><strong><%= h mail.subject %></strong></dd>