From deec501da4f17195938aa34e9274a0b556de65bf Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Tue, 26 Jan 2021 11:35:27 -0800
Subject: [PATCH] email_notifications: Fix HTML injection bug.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
(cherry picked from commit c0ad59585534a27a60eda26298d4122b45d2168d)
---
 zerver/lib/email_notifications.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/zerver/lib/email_notifications.py b/zerver/lib/email_notifications.py
index 23ab74b1f8..98c0dcbcda 100644
--- a/zerver/lib/email_notifications.py
+++ b/zerver/lib/email_notifications.py
@@ -75,11 +75,15 @@ def relative_to_full_url(base_url: str, content: str) -> str:
     # entire message body will be that image element; here, we need a
     # more drastic edit to the content.
     if fragment.get('class') == 'message_inline_image':
-        content_template = '<p><a href="%s" target="_blank" title="%s">%s</a></p>'
         image_link = fragment.find('a').get('href')
         image_title = fragment.find('a').get('title')
-        new_content = (content_template % (image_link, image_title, image_link))
-        fragment = lxml.html.fromstring(new_content)
+        fragment = lxml.html.Element('p')
+        a = lxml.html.Element('a')
+        a.set('href', image_link)
+        a.set('target', '_blank')
+        a.set('title', image_title)
+        a.text = image_link
+        fragment.append(a)
 
     fragment.make_links_absolute(base_url)
     content = lxml.html.tostring(fragment).decode("utf-8")