diff --git a/app/main/views/invites.py b/app/main/views/invites.py
index 3d9544b8e..2da6db406 100644
--- a/app/main/views/invites.py
+++ b/app/main/views/invites.py
@@ -6,6 +6,7 @@ from flask import (
render_template,
abort
)
+from markupsafe import Markup
from app.main import main
@@ -24,14 +25,16 @@ def accept_invite(token):
invited_user = invite_api_client.check_token(token)
if not current_user.is_anonymous() and current_user.email_address != invited_user.email_address:
- flash("""
+ message = Markup("""
You’re signed in as {}.
This invite is for another email address.
- Sign out and click the link again to accept this invite.
- """.format(
+ Sign out and click the link again to accept this invite.
+ """.format(
current_user.email_address,
- url_for("main.sign_out")
- ))
+ url_for("main.sign_out", _external=True)))
+
+ flash(message=message)
+
abort(403)
if invited_user.status == 'cancelled':
diff --git a/tests/app/main/views/test_accept_invite.py b/tests/app/main/views/test_accept_invite.py
index d81fd6d28..936c8d3c4 100644
--- a/tests/app/main/views/test_accept_invite.py
+++ b/tests/app/main/views/test_accept_invite.py
@@ -287,7 +287,7 @@ def test_signed_in_existing_user_cannot_use_anothers_invite(app_,
banner_contents = flash_banners[0].text.strip()
assert "You’re signed in as test@user.gov.uk." in banner_contents
assert "This invite is for another email address." in banner_contents
- assert "Sign out and click the link again to accept this invite." in banner_contents
+ assert "Sign out and click the link again to accept this invite." in banner_contents
assert mock_accept_invite.call_count == 0