From 3834195f7965d5d11736a16b27822562d8208cf1 Mon Sep 17 00:00:00 2001
From: jacobtoppm <jacobtm@torchbox.com>
Date: Tue, 31 Mar 2020 16:06:53 +0100
Subject: [PATCH] Add safe filter to task and workflow names on plain text
 notification templates to prevent escaping. Ensure plain text templates
 inherit from the plain text base templates, rather than html.

---
 .../wagtailadmin/notifications/task_state_approved.txt        | 4 ++--
 .../notifications/task_state_approved_subject.txt             | 2 +-
 .../wagtailadmin/notifications/task_state_rejected.txt        | 2 +-
 .../notifications/task_state_rejected_subject.txt             | 2 +-
 .../wagtailadmin/notifications/task_state_submitted.txt       | 4 ++--
 .../notifications/task_state_submitted_subject.txt            | 2 +-
 .../wagtailadmin/notifications/workflow_state_approved.html   | 2 +-
 .../wagtailadmin/notifications/workflow_state_approved.txt    | 4 ++--
 .../notifications/workflow_state_approved_subject.txt         | 2 +-
 .../wagtailadmin/notifications/workflow_state_rejected.txt    | 2 +-
 .../notifications/workflow_state_rejected_subject.txt         | 2 +-
 .../wagtailadmin/notifications/workflow_state_submitted.txt   | 4 ++--
 .../notifications/workflow_state_submitted_subject.txt        | 2 +-
 13 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved.txt b/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved.txt
index 3aa2d0ebb1..edfa045dc5 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved.txt
@@ -1,7 +1,7 @@
-{% extends 'wagtailadmin/notifications/base.html' %}
+{% extends 'wagtailadmin/notifications/base.txt' %}
 {% load i18n %}
 
 {% block content %}
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been approved in moderation stage "{{ task }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe task=task.name|safe %}The page "{{ title }}" has been approved in moderation stage "{{ task }}".{% endblocktrans %}
 {% trans "You can edit the page here:"%} {{ settings.BASE_URL }}{% url 'wagtailadmin_pages:edit' page.id %}
 {% endblock %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved_subject.txt b/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved_subject.txt
index b39af3630a..26e252695c 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved_subject.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/task_state_approved_subject.txt
@@ -1,3 +1,3 @@
 {% load i18n %}
 
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been approved in "{{ task }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe task=task.name|safe %}The page "{{ title }}" has been approved in "{{ task }}".{% endblocktrans %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected.txt b/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected.txt
index 420db97758..2a12249290 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected.txt
@@ -2,6 +2,6 @@
 {% load i18n %}
 
 {% block content %}
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been rejected in moderation stage "{{ task }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe task=task.name|safe %}The page "{{ title }}" has been rejected in moderation stage "{{ task }}".{% endblocktrans %}
 {% trans "You can edit the page here:"%} {{ settings.BASE_URL }}{% url 'wagtailadmin_pages:edit' page.id %}
 {% endblock %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected_subject.txt b/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected_subject.txt
index 7c4253280b..d2f6178ffe 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected_subject.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/task_state_rejected_subject.txt
@@ -1,3 +1,3 @@
 {% load i18n %}
 
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been rejected during "{{ task }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe task=task.name|safe %}The page "{{ title }}" has been rejected during "{{ task }}".{% endblocktrans %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted.txt b/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted.txt
index 47dd037ab9..e2ef8f5387 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted.txt
@@ -1,9 +1,9 @@
-{% extends 'wagtailadmin/notifications/base.html' %}
+{% extends 'wagtailadmin/notifications/base.txt' %}
 
 {% load i18n %}
 
 {% block content %}
-{% blocktrans with task=task.name title=page.get_admin_display_title|safe %}The page "{{ title }}" has been submitted for approval to moderation stage "{{ task }}".{% endblocktrans %}
+{% blocktrans with task=task.name|safe title=page.get_admin_display_title|safe %}The page "{{ title }}" has been submitted for approval to moderation stage "{{ task }}".{% endblocktrans %}
 
 
 {% trans "You can preview the page here:" %} {{ settings.BASE_URL }}{% url 'wagtailadmin_pages:workflow_preview' page.id task.id %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted_subject.txt b/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted_subject.txt
index baf8587761..88b5d8894b 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted_subject.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/task_state_submitted_subject.txt
@@ -1,3 +1,3 @@
 {% load i18n %}
 
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been submitted for approval in moderation stage "{{ task }}" {% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe task=task.name|safe %}The page "{{ title }}" has been submitted for approval in moderation stage "{{ task }}" {% endblocktrans %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.html b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.html
index 9ee488bf4d..387d2bf8c1 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.html
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.html
@@ -2,6 +2,6 @@
 {% load i18n %}
 
 {% block content %}
-    <p>{% blocktrans with title=page.get_admin_display_title task=task.name %}The page "{{ title }}" has been approved in workflow "{{ workflow }}".{% endblocktrans %}</p>
+    <p>{% blocktrans with title=page.get_admin_display_title workflow=workflow.name %}The page "{{ title }}" has been approved in workflow "{{ workflow }}".{% endblocktrans %}</p>
     <p>{% trans "You can view the page here:" %} <a href="{{ page.full_url }}">{{ page.full_url }}</a></p>
 {% endblock %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.txt b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.txt
index aad31b8809..bd0c593c18 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved.txt
@@ -1,7 +1,7 @@
-{% extends 'wagtailadmin/notifications/base.html' %}
+{% extends 'wagtailadmin/notifications/base.txt' %}
 {% load i18n %}
 
 {% block content %}
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been approved in workflow "{{ workflow }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name|safe %}The page "{{ title }}" has been approved in workflow "{{ workflow }}".{% endblocktrans %}
 {% trans "You can view the page here:" %} {{ page.full_url }}
 {% endblock %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved_subject.txt b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved_subject.txt
index f11b6cb35c..c4b37378b2 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved_subject.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_approved_subject.txt
@@ -1,3 +1,3 @@
 {% load i18n %}
 
-{% blocktrans with title=page.get_admin_display_title|safe task=task.name %}The page "{{ title }}" has been approved in "{{ workflow }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name|safe %}The page "{{ title }}" has been approved in "{{ workflow }}".{% endblocktrans %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected.txt b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected.txt
index 68c95c9598..9a49506704 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected.txt
@@ -2,7 +2,7 @@
 {% load i18n %}
 
 {% block content %}
-{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name %}The page "{{ title }}" has been rejected in workflow "{{ workflow }}"".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name|safe %}The page "{{ title }}" has been rejected in workflow "{{ workflow }}"".{% endblocktrans %}
 
 {% trans "You can edit the page here:"%} {{ settings.BASE_URL }}{% url 'wagtailadmin_pages:edit' page.id %}
 {% endblock %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected_subject.txt b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected_subject.txt
index 77d8ff316e..dc471a9554 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected_subject.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_rejected_subject.txt
@@ -1,3 +1,3 @@
 {% load i18n %}
 
-{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name %}The page "{{ title }}" has been rejected during "{{ workflow }}".{% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name|safe %}The page "{{ title }}" has been rejected during "{{ workflow }}".{% endblocktrans %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted.txt b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted.txt
index ec5de85f79..2e376970a7 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted.txt
@@ -1,9 +1,9 @@
-{% extends 'wagtailadmin/notifications/base.html' %}
+{% extends 'wagtailadmin/notifications/base.txt' %}
 
 {% load i18n %}
 
 {% block content %}
-{% blocktrans with workflow=workflow.name title=page.get_admin_display_title|safe %}The page "{{ title }}" has been submitted for moderation to workflow "{{ workflow }}".{% endblocktrans %}
+{% blocktrans with workflow=workflow.name|safe title=page.get_admin_display_title|safe %}The page "{{ title }}" has been submitted for moderation to workflow "{{ workflow }}".{% endblocktrans %}
 
 
 {% trans "You can edit the page here:" %} {{ settings.BASE_URL }}{% url 'wagtailadmin_pages:edit' page.id %}
diff --git a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted_subject.txt b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted_subject.txt
index a757b71c2d..1132922025 100644
--- a/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted_subject.txt
+++ b/wagtail/admin/templates/wagtailadmin/notifications/workflow_state_submitted_subject.txt
@@ -1,3 +1,3 @@
 {% load i18n %}
 
-{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name %}The page "{{ title }}" has been submitted to workflow "{{ workflow }}" {% endblocktrans %}
+{% blocktrans with title=page.get_admin_display_title|safe workflow=workflow.name|safe %}The page "{{ title }}" has been submitted to workflow "{{ workflow }}" {% endblocktrans %}