codebar · olleolleolle · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026
diff --git a/app/presenters/address_presenter.rb b/app/presenters/address_presenter.rb
@@ -6,7 +6,9 @@ def to_html
                                                           .join(', ')
 
     [model.flat, model.street, city_and_postal_code, lat, lng]
-      .delete_if(&:empty?).join('<br/>').html_safe
+      .delete_if(&:empty?)
+      .map { |line| ERB::Util.html_escape(line) }
+      .join('<br/>').html_safe
   end
 
   def for_map

diff --git a/app/views/admin/events/show.html.haml b/app/views/admin/events/show.html.haml
@@ -92,7 +92,7 @@
 
   .row
     .col
-      %p.lead= @event.description.html_safe
+      %p.lead= sanitize(@event.description)
 
   - if @event.tito_url.present?
     .row

diff --git a/app/views/admin/meetings/show.html.haml b/app/views/admin/meetings/show.html.haml
@@ -51,7 +51,7 @@
   .row.mt-3
     .col-10
       %h4 Agenda
-      = @meeting.description.html_safe
+      = sanitize(@meeting.description)
 
 - if @invitations.any?
   .py-4.py-lg-5.bg-light

diff --git a/app/views/meeting_invitation_mailer/_agenda.html.haml b/app/views/meeting_invitation_mailer/_agenda.html.haml
@@ -3,4 +3,4 @@
     %tr
       %td
         %h4 Agenda
-        %p= @meeting.description.html_safe
+        %p= sanitize(@meeting.description)
diff --git a/app/views/meeting_invitation_mailer/_cancel_attendance.html.haml b/app/views/meeting_invitation_mailer/_cancel_attendance.html.haml
@@ -5,4 +5,4 @@
         %h4
           Can't make it anymore?
         %p
-          = "Please #{link_to 'cancel your attendance', @cancellation_url} by following the instructions on the event page.".html_safe
+          Please #{link_to 'cancel your attendance', @cancellation_url} by following the instructions on the event page.
diff --git a/app/views/meeting_invitation_mailer/invite.html.haml b/app/views/meeting_invitation_mailer/invite.html.haml
@@ -16,7 +16,7 @@
                 %p.lead
                   We're back for another instalment of codebar Monthlies on #{humanize_date(@meeting.date_and_time, with_time: true)} at #{@meeting.venue.name}!
                 %p
-                  = "#{link_to 'You can RSVP here', @rsvp_url}, after logging into your codebar account.".html_safe
+                  #{link_to 'You can RSVP here', @rsvp_url} after logging into your codebar account.
 
         = render partial: 'agenda'
 

diff --git a/spec/presenters/address_presenter_spec.rb b/spec/presenters/address_presenter_spec.rb
@@ -2,10 +2,20 @@
   let(:address) { Fabricate.build(:address) }
   let(:presenter) { AddressPresenter.new(address) }
 
-  it '#to_html' do
-    html_address = "#{address.flat}<br/>#{address.street}<br/>#{address.city}, #{address.postal_code}"
+  describe '#to_html' do
+    it 'returns the address in HTML with lines separated with <br/> tags' do
+      html_address = "#{address.flat}<br/>#{address.street}<br/>#{address.city}, #{address.postal_code}"
 
-    expect(presenter.to_html).to eq(html_address)
+      expect(presenter.to_html).to eq(html_address)
+    end
+
+    it 'escapes HTML in address elements' do
+      address.street = '<script>alert("XSS");</script>'
+      html_address = "#{address.flat}<br/>&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;<br/>" +
+        "#{address.city}, #{address.postal_code}"
+
+      expect(presenter.to_html).to eq(html_address)
+    end
   end
 
   it '#to_s' do
-Original file line number
+Diff line change
@@ Expand Up / @@ -92,7 +92,7 @@ @@
       .row
         .col
-          %p.lead= @event.description.html_safe
+          %p.lead= sanitize(@event.description)
       - if @event.tito_url.present?
         .row
@@ Expand Down @@