From c04930a2034dbd2a7fb05dabd36ace2b50e761bf Mon Sep 17 00:00:00 2001
From: Richard Mansfield <richard.mansfield@catalyst.net.nz>
Date: Fri, 29 Apr 2011 14:03:54 +1200
Subject: [PATCH] Escape body of html emails (bug #772860)

Change-Id: Ib0e4f4e00b3a0c78a39399b57ac2ee44d5eeee74
Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
---
 htdocs/interaction/forum/lib.php |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/interaction/forum/lib.php b/htdocs/interaction/forum/lib.php
index edbfb15..26fd00b 100644
--- a/htdocs/interaction/forum/lib.php
+++ b/htdocs/interaction/forum/lib.php
@@ -498,7 +498,7 @@ class ActivityTypeInteractionForumNewPost extends ActivityTypePlugin {
         }
 
         $posttime = strftime(get_string('strftimedaydatetime'), $post->ctime);
-        $htmlbody = $post->body;
+        $htmlbody = clean_html($post->body);
         $textbody = trim(html2text($post->body));
         $postlink = get_config('wwwroot') . 'interaction/forum/topic.php?id=' . $post->topicid . '#post' . $this->postid;
 
@@ -525,8 +525,8 @@ class ActivityTypeInteractionForumNewPost extends ActivityTypePlugin {
                 $unsubscribelink
             );
             $user->htmlmessage = get_string_from_language($lang, 'forumposthtmltemplate', 'interaction.forum',
-                $post->subject ? $post->subject : get_string_from_language($lang, 're', 'interaction.forum', $post->topicsubject),
-                display_name($post->poster, $user),
+                $post->subject ? hsc($post->subject) : get_string_from_language($lang, 're', 'interaction.forum', hsc($post->topicsubject)),
+                hsc(display_name($post->poster, $user)),
                 $posttime,
                 $htmlbody,
                 $postlink,
-- 
1.7.1