misc: use non-autoescaping template render for email text bodies and subjects (#51374)

src/authentic2/manager/templates/authentic2/manager/user_change_email_notification_body.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% autoescape off %}{% if email_is_not_unique%}{% blocktrans with name=user.get_short_name old_email=user.email %}Hi {{ name }} !
+{% load i18n %}{% if email_is_not_unique%}{% blocktrans with name=user.get_short_name old_email=user.email %}Hi {{ name }} !
 
 An administrator requested for changing your email on {{ domain }} from:
 
@@ -32,4 +32,4 @@ To validate this change please click on the following link:
 This link will be valid for {{ token_lifetime }}.
 
 --
-{{ domain }}{% endblocktrans %}{% endif %}{% endautoescape %}
+{{ domain }}{% endblocktrans %}{% endif %}

src/authentic2/manager/templates/authentic2/manager/user_change_email_notification_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}Change email on {{ domain }} requested by an administrator{% endblocktrans %}{% endautoescape %}
+{% load i18n %}{% blocktrans %}Change email on {{ domain }} requested by an administrator{% endblocktrans %}

src/authentic2/templates/authentic2/account_delete_notification_body.txt

@@ -1,8 +1,7 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}{{ full_name }},{% endblocktrans %}
+{% load i18n %}{% blocktrans %}{{ full_name }},{% endblocktrans %}
 
 {% blocktrans %}
 Your account on {{ site }} has been deleted.
 All related data will be deleted today.
 You cannot log in with it anymore.
 {% endblocktrans %}
-{% endautoescape %}

src/authentic2/templates/authentic2/account_delete_notification_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}Account deletion on {{ site }}{% endblocktrans %}{% endautoescape %}
+{% load i18n %}{% blocktrans %}Account deletion on {{ site }}{% endblocktrans %}

src/authentic2/templates/authentic2/account_deletion_code_body.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}{{ full_name }},{% endblocktrans %}
+{% load i18n %}{% blocktrans %}{{ full_name }},{% endblocktrans %}
 
 {% blocktrans %}
 Please click on {{ deletion_url }}
@@ -7,4 +7,3 @@ if you want to validate your account deletion request on
 If so, all related data will be deleted in the next few hours.
 You won't be able to log in with this account anymore.
 {% endblocktrans %}
-{% endautoescape %}

src/authentic2/templates/authentic2/account_deletion_code_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}Validate account deletion request on {{ site }}{% endblocktrans %}{% endautoescape %}
+{% load i18n %}{% blocktrans %}Validate account deletion request on {{ site }}{% endblocktrans %}

src/authentic2/templates/authentic2/change_email_notification_body.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% autoescape off %}{% if email_is_not_unique%}{% blocktrans with name=user.get_short_name old_email=user.email %}Hi {{ name }} !
+{% load i18n %}{% if email_is_not_unique%}{% blocktrans with name=user.get_short_name old_email=user.email %}Hi {{ name }} !
 
 You asked for changing your email on {{ domain }} from:
 
@@ -32,4 +32,4 @@ To validate this change please click on the following link:
 This link will be valid for {{ token_lifetime }}.
 
 --
-{{ domain }}{% endblocktrans %}{% endif %}{% endautoescape %}
+{{ domain }}{% endblocktrans %}{% endif %}

src/authentic2/templates/authentic2/change_email_notification_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}Change email on {{ domain }}{% endblocktrans %}{% endautoescape %}
+{% load i18n %}{% blocktrans %}Change email on {{ domain }}{% endblocktrans %}

src/authentic2/templates/authentic2/registration_success_body.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% autoescape off %}{% blocktrans with full_name=user.get_full_name %}Hi {{ full_name }} !
+{% load i18n %}{% blocktrans with full_name=user.get_full_name %}Hi {{ full_name }} !
 
 Your registration on {{ site }} was successful!
 
@@ -10,5 +10,3 @@ You can login on:
 	{% trans "Email:" %} {{ user.email }}{% if user.first_name %}
 	{% trans "First name:" %} {{ user.first_name }}{% endif %}{% if user.last_name %}
 	{% trans "Last name:" %} {{ user.last_name }}{% endif %}
-
-{% endautoescape %}

src/authentic2/templates/authentic2/registration_success_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% trans "You successfully registered on" %} {{ site }}{% endautoescape %}
+{% load i18n %}{% trans "You successfully registered on" %} {{ site }}

src/authentic2/templates/authentic2/unused_account_alert_body.txt

@@ -1,8 +1,5 @@
-{% load i18n humanize %}
-{% autoescape off %}
-{% blocktrans %}Hi {{ user.get_full_name }},{% endblocktrans %}
+{% load i18n humanize %}{% blocktrans %}Hi {{ user.get_full_name }},{% endblocktrans %}
 
 {% blocktrans with last_login_date=user.last_login|naturaltime %}Your last logging was {{ last_login_date }}.{% endblocktrans %}
 {% blocktrans %}In order to keep your account, you must log in within {{ days_to_deletion }} days.{% endblocktrans %}
 {% trans "Otherwise, it will be deleted after this time." %}
-{% endautoescape %}

src/authentic2/templates/authentic2/unused_account_alert_subject.txt

@@ -1,6 +1 @@
-{% load i18n humanize %}
-{% autoescape off %}
-{% blocktrans trimmed with last_login_date=user.last_login|naturaltime %}
-Alert: {{ user.get_full_name }} your last login was {{ last_login_date }}
-{% endblocktrans %}
-{% endautoescape %}
+{% load i18n humanize %}{% blocktrans trimmed with last_login_date=user.last_login|naturaltime %}Alert: {{ user.get_full_name }} your last login was {{ last_login_date }}{% endblocktrans %}

src/authentic2/templates/authentic2/unused_account_delete_body.txt

@@ -1,8 +1,4 @@
-{% load i18n humanize %}
-{% autoescape off %}
-{% blocktrans with last_login_date=user.last_login|naturaltime %}
+{% load i18n humanize %}{% blocktrans with last_login_date=user.last_login|naturaltime %}
 Hi {{ user }},
 
-Since your last logging was {{ last_login_date }}, your account has been deleted.
-{% endblocktrans %}
-{% endautoescape %}
+Since your last logging was {{ last_login_date }}, your account has been deleted.{% endblocktrans %}

src/authentic2/templates/authentic2/unused_account_delete_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% blocktrans %}Notification: {{ user }}, your account has been deleted{% endblocktrans %}{% endautoescape %}
+{% load i18n %}{% blocktrans %}Notification: {{ user }}, your account has been deleted{% endblocktrans %}

src/authentic2/templates/registration/activation_email.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% autoescape off %}{% if not existing_accounts %}{% blocktrans %}You requested registration on {{ site }}.
+{% load i18n %}{% if not existing_accounts %}{% blocktrans %}You requested registration on {{ site }}.
 To finish your registration, please go to:
 
   {{ registration_url }}
@@ -12,4 +12,4 @@ You already have an account. To login please go to:
 {% if expiration_days > 1 %}{% blocktrans %}Link is valid for {{ expiration_days }} days.{% endblocktrans %}
 {% else %}{% blocktrans %}Link is valid for 24 hours.{% endblocktrans %}{% endif %}
 
-{% blocktrans %}If you did not register on {{ site }}, ignore this email.{% endblocktrans %}{% endautoescape %}
+{% blocktrans %}If you did not register on {{ site }}, ignore this email.{% endblocktrans %}

src/authentic2/templates/registration/activation_email_subject.txt

@@ -1 +1 @@
-{% load i18n %}{% autoescape off %}{% trans "You requested registration on" %} {{ site }}{% endautoescape %}
+{% load i18n %}{% trans "You requested registration on" %} {{ site }}

src/authentic2/templates/registration/password_reset_subject.txt

@@ -1,3 +1 @@
-{% load i18n %}{% autoescape off %}
-{% blocktrans with hostname=request.get_host %}Password reset on {{ hostname }}{% endblocktrans %}
-{% endautoescape %}
+{% load i18n %}{% blocktrans with hostname=request.get_host %}Password reset on {{ hostname }}{% endblocktrans %}

src/authentic2/utils/__init__.py

@@ -43,7 +43,8 @@ from django.utils import html, six
 from django.utils.translation import ugettext as _, ungettext
 from django.utils.six.moves.urllib import parse as urlparse
 from django.shortcuts import resolve_url
-from django.template.loader import render_to_string, TemplateDoesNotExist
+from django.template.loader import render_to_string, TemplateDoesNotExist, select_template
+from django.template.context import make_context
 from django.core.mail import send_mail
 from django.core import signing
 from django.core.cache import cache
@@ -622,6 +623,11 @@ def get_fields_and_labels(*args):
     return fields, labels
 
 
+def render_plain_text_template_to_string(template_names, ctx, request=None):
+    template = select_template(template_names)
+    return template.template.render(make_context(ctx, request=request, autoescape=False))
+
+
 def send_templated_mail(user_or_email, template_names, context=None, with_html=True,
                         from_email=None, request=None, legacy_subject_templates=None,
                         legacy_body_templates=None, legacy_html_body_templates=None,
@@ -651,11 +657,11 @@ def send_templated_mail(user_or_email, template_names, context=None, with_html=T
 
     subject_template_names = [template_name + '_subject.txt' for template_name in template_names]
     subject_template_names += legacy_subject_templates or []
-    subject = render_to_string(subject_template_names, ctx, request=request).strip()
+    subject = render_plain_text_template_to_string(subject_template_names, ctx, request=request).strip()
 
     body_template_names = [template_name + '_body.txt' for template_name in template_names]
     body_template_names += legacy_body_templates or []
-    body = render_to_string(body_template_names, ctx, request=request)
+    body = render_plain_text_template_to_string(body_template_names, ctx, request=request)
 
     html_body = None
     html_body_template_names = [template_name + '_body.html' for template_name in template_names]