Fix not so safe input (plausible#4263)

yonasBSD · Jun 24, 2024 · c59bdd2 · c59bdd2
1 parent a8b9505
commit c59bdd2
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/lib/plausible/site/admin.ex b/lib/plausible/site/admin.ex
@@ -164,11 +164,14 @@ defmodule Plausible.SiteAdmin do
     owner = site.owner
 
     if owner do
+      escaped_name = Phoenix.HTML.html_escape(owner.name) |> Phoenix.HTML.safe_to_string()
+      escaped_email = Phoenix.HTML.html_escape(owner.email) |> Phoenix.HTML.safe_to_string()
+
       {:safe,
        """
-        <a href="/crm/auth/user/#{owner.id}">#{owner.name}</a>
+        <a href="/crm/auth/user/#{owner.id}">#{escaped_name}</a>
         <br/><br/>
-        #{owner.email}
+        #{escaped_email}
        """}
     end
   end