Merge branch 'master' into feature/524_cant_scan_qrcode_fix

2amigos · Jan 4, 2024 · be1db7d · be1db7d
2 parents 2c34fc5 + aa8cd06
commit be1db7d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Fix: UserSearch avoid fields name conflict if joined with other tables (liviuk2)
 - Fix: PasswordExpireService return false when user model attribute "password_changed_at" is already set at null.
 - Enh #524: Two Factor - Authenticator App - offer a "Can't scan?" fallback
+- Fix #530: Welcome email: reported Password is now HTML-encoded
 
 ## 1.6.1 March 4th, 2023
 

diff --git a/src/User/resources/views/mail/welcome.php b/src/User/resources/views/mail/welcome.php
@@ -27,7 +27,7 @@
 <p style="font-family: 'Helvetica Neue', 'Helvetica', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 1.6; font-weight: normal; margin: 0 0 10px; padding: 0;">
     <?= Yii::t('usuario', 'Your account on {0} has been created', Yii::$app->name) ?>.
     <?php if ($showPassword || $module->generatePasswords): ?>
-        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= $user->password ?></strong>
+        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= Html::encode($user->password) ?></strong>
     <?php endif ?>
     <?php if ($module->allowPasswordRecovery): ?>
         <?= Yii::t('usuario', 'If you haven\'t received a password, you can reset it at') ?>: <strong><?= Html::a(Html::encode(Url::to(['/user/recovery/request'], true)), Url::to(['/user/recovery/request'], true)) ?></strong>