[PM-3571] Address HTML injection in passwordless login emails (#3623)

* [PM-3571] Update HandlebarsMailService for Passwordless login email URL, using AbsoluteUri which has html encoding * [PM-3571] Switched from AbsoluteUri to OriginalString --------- Co-authored-by: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
2025-07-01 08:02:49 -05:00 · 2024-02-09 13:42:11 +00:00
parent 6174df0874
commit a08541173d
1 changed files with 1 additions and 1 deletions
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@ -263,7 +263,7 @@ public class HandlebarsMailService : IMailService
            });
        var model = new PasswordlessSignInModel
        {
-            Url = url.ToString()
+            Url = url.OriginalString
        };
        await AddMessageContentAsync(message, "Auth.PasswordlessSignIn", model);
        message.Category = "PasswordlessSignIn";