mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-03-12 06:12:28 -04:00
4d65b94c77
`EmailPreviewTemplate.subject` returns a string of HTML, with any user-submitted HTML already escaped:b5a61bfb7b/notifications_utils/template.py (L672)What won’t be escaped is the HTML needed to redact the placeholders. We generate this HTML so we know its safe, and doesn’t need to be escaped. However when we pass it to Jinja, Jinja doesn’t know this, so will try to escape it. This means users will see the raw HTML. We can get around this by using Flask’s `Markup` class to tell Jinja that the string is already sanitised and doesn’t need escaping again. Text message templates don’t have this problem because they already return `Markup`:b5a61bfb7b/notifications_utils/template.py (L288)Letter templates don’t suffer from this problem (because they don’t support redaction) but without making the same change they would still double-escape ampersands, greater-than symbols, and so on.