From 0b6a78f0cb19e7ea76c0fc687246aaa1ecf7295d Mon Sep 17 00:00:00 2001
From: "enrico.degaudenzi@connectorly.io" <enrico.degaudenzi@stellarise.com>
Date: Mon, 13 Nov 2023 12:10:08 +0000
Subject: [PATCH 1/2] 530 Welcome email: reported Password is now HTML-encoded

---
 src/User/resources/views/mail/welcome.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/User/resources/views/mail/welcome.php b/src/User/resources/views/mail/welcome.php
index 526f0795..8efa10a9 100644
--- a/src/User/resources/views/mail/welcome.php
+++ b/src/User/resources/views/mail/welcome.php
@@ -27,7 +27,7 @@
 <p style="font-family: 'Helvetica Neue', 'Helvetica', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 1.6; font-weight: normal; margin: 0 0 10px; padding: 0;">
     <?= Yii::t('usuario', 'Your account on {0} has been created', Yii::$app->name) ?>.
     <?php if ($showPassword || $module->generatePasswords): ?>
-        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= $user->password ?></strong>
+        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= Html::encode($user->password) ?></strong>
     <?php endif ?>
     <?php if ($module->allowPasswordRecovery): ?>
         <?= Yii::t('usuario', 'If you haven\'t received a password, you can reset it at') ?>: <strong><?= Html::a(Html::encode(Url::to(['/user/recovery/request'], true)), Url::to(['/user/recovery/request'], true)) ?></strong>

From 7e01f45dc7ae94bf2b41b464e310d37cf63fb37d Mon Sep 17 00:00:00 2001
From: "enrico.degaudenzi@connectorly.io" <enrico.degaudenzi@stellarise.com>
Date: Fri, 22 Dec 2023 14:31:57 +0000
Subject: [PATCH 2/2] #530 Added changelog entry

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b1aa6634..5952922f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Enh: possibility to limit the depth of the recursion when getting user ids from roles (mp1509)
 - Fix: UserSearch avoid fields name conflict if joined with other tables (liviuk2)
 - Fix: PasswordExpireService return false when user model attribute "password_changed_at" is already set at null.
+- Fix #530: Welcome email: reported Password is now HTML-encoded
 
 ## 1.6.1 March 4th, 2023