8000 [11.x] Fix `Illuminate\Support\EncodedHtmlString` from causing breaking change by crynobone · Pull Request #55149 · laravel/framework · GitHub
[go: up one dir, main page]
Skip to content

[11.x] Fix Illuminate\Support\EncodedHtmlString from causing breaking change #55149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 24, 2025
Merged

[11.x] Fix Illuminate\Support\EncodedHtmlString from causing breaking change #55149

merged 8 commits into from
Mar 24, 2025

Conversation

@crynobone
Copy link
Member
@crynobone crynobone commented Mar 24, 2025
edited
Loading

With this change, slot value should be considered as safe since it will contains HTML. Only content of mailable template should be encoded when using {{ }}

@crynobone
wip
758dfc5 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
b273d79 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
a6e26ef 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
e38266f 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
cec5942 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone crynobone marked this pull request as ready for review March 24, 2025 06:07
@crynobone
wip
fd0d9fa 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
aa53a49 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
shaedrich
shaedrich reviewed Mar 24, 2025
View reviewed changes
shaedrich
shaedrich reviewed Mar 24, 2025
View reviewed changes
@crynobone @shaedrich
Update src/Illuminate/Mail/Markdown.php
bcbdea0 
Co-authored-by: Sebastian Hädrich <11225821+shaedrich@users.noreply.github.com>
@taylorotwell
Copy link
Member
taylorotwell commented Mar 24, 2025

No malicious content could be injected in the header, subcopy, etc. that were changed to use {!! !!} @crynobone?

@crynobone
Copy link
Member Author
crynobone commented Mar 24, 2025

@taylorotwell

Typically the value will come from separate view such as:

<x-mail::message>

<x-slot:header>
Unfiltered content {{ 'filtered content' }}
</x-slot:header>


</x-mail::message>

@taylorotwell taylorotwell merged commit b5ce211 into 11.x Mar 24, 2025
45 checks passed
@taylorotwell taylorotwell deleted the regression-encoded branch March 24, 2025 14:53
@seabasss
Copy link
seabasss commented Apr 23, 2025

@crynobone from 11.44.3, my emails now show up in plain html code. Reverting to 11.44.2 fixes it. Any ideas of what needs to be done? Thanks!

@crynobone
Copy link
Member Author
crynobone commented Apr 23, 2025

Did you export email templates? If you do it best to check all $slot usage to use {!! !!} instead of {{ }}

@seabasss
Copy link
seabasss commented Apr 23, 2025

Did you export email templates? If you do it best to check all $slot usage to use {!! !!} instead of {{ }}

Yes, but I only needed default.css anyway so I deleted the blade files and now it works again. Thanks!

@jbraband jbraband mentioned this pull request Apr 24, 2025
Merged
@renovate renovate bot mentioned this pull request Apr 24, 2025
Closed
1 task
@bebo925
Copy link
bebo925 commented Apr 24, 2025
edited
Loading

@crynobone We also had to revert back to 11.44.2 to fix the issue with plain html showing up in the MailMessage.

Our notifications are using the toMail and returning a basic MailMessage and we aren't even using Markdown options.

We did not publish/change the template files. Even the default footer is show html.

Any ideas?

@heikokrebs
Copy link
heikokrebs commented Apr 24, 2025
edited
Loading

Did you export email templates? If you do it best to check all $slot usage to use {!! !!} instead of {{ }}

I did to, but i also use some component with html in it, which only show up as escaped html. until now i was including them like

@component('mail::some-custom-stuff', [
    'data' => $foo
])
@endcomponent

UPDATE: ok, i just missed to change some {{ }} to {!! !!} in some sub-templates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shaedrich shaedrich shaedrich left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@crynobone @taylorotwell @seabasss @bebo925 @heikokrebs @shaedrich
0