fix: sanitize workshop description in invitation emails

app/views/workshop_invitation_mailer/attending.html.haml

@@ -40,7 +40,7 @@
                 - if @workshop.description.present?
                   %p{ style: 'margin-top: 10px;' }
                     %strong Description:
-                    = @workshop.description
+                    = sanitize(@workshop.description)
 
         .content
           %table

app/views/workshop_invitation_mailer/attending_reminder.html.haml

@@ -35,7 +35,7 @@
                 - if @workshop.description.present?
                   %p{ style: 'margin-top: 10px;' }
                     %strong Description:
-                    = @workshop.description
+                    = sanitize(@workshop.description)
 
         .content
           %table

app/views/workshop_invitation_mailer/invite_coach.html.haml

@@ -41,7 +41,7 @@
                 - if @workshop.description.present?
                   %p{ style: 'margin-top: 15px;' }
                     %strong Description:
-                    = @workshop.description
+                    = sanitize(@workshop.description)
               %td{ width: '40%', style: 'vertical-align: top;'}
                 %h4
                   Venue

app/views/workshop_invitation_mailer/invite_student.html.haml

@@ -38,7 +38,7 @@
                 - if @workshop.description.present?
                   %p{ style: 'margin-top: 15px;' }
                     %strong Description:
-                    = @workshop.description
+                    = sanitize(@workshop.description)
               %td{ width: '40%', style: 'vertical-align: top;'}
                 %h4
                   Venue

spec/mailers/virtual_workshop_invitation_mailer_spec.rb

@@ -71,14 +71,15 @@
     expect(email.body.encoded).to match('Accept the invitation')
   end
 
-  it '#attending includes the workshop description' do
-    description = "This is a test workshop description."
+  it '#attending renders workshop description as HTML, not escaped' do
+    description = '<strong>Important notice:</strong> Please bring a laptop.'
     workshop = Fabricate(:workshop, description: description)
     invitation = Fabricate(:workshop_invitation, workshop: workshop, member: member)
 
     WorkshopInvitationMailer.attending(workshop, member, invitation).deliver_now
 
-    expect(email.body.encoded).to include(description)
+    expect(email.body.encoded).to include('Please bring a laptop.')
+    expect(email.body.encoded).not_to include('&lt;strong&gt;Important')
   end
 
   it '#invite_coach' do

spec/mailers/workshop_invitation_mailer_spec.rb

@@ -110,13 +110,14 @@
     expect(email.body.encoded).to match(workshop.chapter.email)
   end
 
-  it '#attending includes the workshop description' do
-    description = "This is a test workshop description."
+  it '#attending renders workshop description as HTML, not escaped' do
+    description = '<strong>Important notice:</strong> Please bring a laptop.'
     workshop = Fabricate(:workshop, description: description)
     invitation = Fabricate(:workshop_invitation, workshop: workshop, member: member)
 
     WorkshopInvitationMailer.attending(workshop, member, invitation).deliver_now
 
-    expect(email.body.encoded).to include(description)
+    expect(email.body.encoded).to include('Please bring a laptop.')
+    expect(email.body.encoded).not_to include('&lt;strong&gt;Important')
   end
 end

spec/presenters/address_presenter_spec.rb

@@ -4,7 +4,8 @@
 
   describe '#to_html' do
     it 'returns the address in HTML with lines separated with <br/> tags' do
-      html_address = "#{address.flat}<br/>#{address.street}<br/>#{address.city}, #{address.postal_code}"
+      escape = ERB::Util.method(:html_escape)
+      html_address = "#{escape.call(address.flat)}<br/>#{escape.call(address.street)}<br/>#{escape.call(address.city)}, #{escape.call(address.postal_code)}"
 
       expect(presenter.to_html).to eq(html_address)
     end