[4.4] Escape unsafe tags in mail copy to sender and notification to admin and don't escape custom email fields (joomla#43981)

richard67 · web-flow · commit 2d7667ea2f29 · 2024-08-26T15:18:29.000+02:00
* Escape also copy to sender in contact form email

* Escape also new user notification email to admins

* Remove customfields from unsafe tags
diff --git a/components/com_contact/src/Controller/ContactController.php b/components/com_contact/src/Controller/ContactController.php
@@ -271,7 +271,7 @@ private function _sendEmail($data, $contact, $emailCopyToSender)
             $mailer->addRecipient($contact->email_to);
             $mailer->setReplyTo($templateData['email'], $templateData['name']);
             $mailer->addTemplateData($templateData);
-            $mailer->addUnsafeTags(['name', 'email', 'body', 'customfields']);
+            $mailer->addUnsafeTags(['name', 'email', 'body']);
             $sent = $mailer->send();
 
             // If we are supposed to copy the sender, do so.
@@ -280,6 +280,7 @@ private function _sendEmail($data, $contact, $emailCopyToSender)
                 $mailer->addRecipient($templateData['email']);
                 $mailer->setReplyTo($templateData['email'], $templateData['name']);
                 $mailer->addTemplateData($templateData);
+                $mailer->addUnsafeTags(['name', 'email', 'body']);
                 $sent = $mailer->send();
             }
         } catch (MailDisabledException | phpMailerException $exception) {
diff --git a/components/com_users/src/Model/RegistrationModel.php b/components/com_users/src/Model/RegistrationModel.php
@@ -555,6 +555,7 @@ public function register($temp)
                     $mailer = new MailTemplate('com_users.registration.admin.new_notification', $app->getLanguage()->getTag());
                     $mailer->addTemplateData($data);
                     $mailer->addRecipient($row->email);
+                    $mailer->addUnsafeTags(['username', 'name']);
                     $return = $mailer->send();
                 } catch (\Exception $exception) {
                     try {
