From a08541173d82100527f2f3b4fd38a2e07771c3f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 9 Feb 2024 13:42:11 +0000
Subject: [PATCH] [PM-3571] Address HTML injection in passwordless login emails
 (#3623)

* [PM-3571] Update HandlebarsMailService for Passwordless login email URL, using AbsoluteUri which has html encoding

* [PM-3571] Switched from AbsoluteUri to OriginalString

---------

Co-authored-by: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
---
 src/Core/Services/Implementations/HandlebarsMailService.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Core/Services/Implementations/HandlebarsMailService.cs b/src/Core/Services/Implementations/HandlebarsMailService.cs
index 90b273bed2..fee5ec903a 100644
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@@ -263,7 +263,7 @@ public class HandlebarsMailService : IMailService
             });
         var model = new PasswordlessSignInModel
         {
-            Url = url.ToString()
+            Url = url.OriginalString
         };
         await AddMessageContentAsync(message, "Auth.PasswordlessSignIn", model);
         message.Category = "PasswordlessSignIn";