HTML entities in plain text notification

[tillkruss]

• Laravel Version: 5.4.23
• PHP Version: 7.1.4

Description:

I've got object names that contains single or double quotes that are being mentioned in notifications:

$message = (new MailMessage)
    ->line('This line "contains" double quotes.')

The HTML source part of the notifications ends up containing un-encoded double quotes, however the plain-text part contains HTML entities:

This line "contains" double quotes.

Which obviously shouldn't happen and doesn't read well.

I'm not sure if this a bug, or if I should just run html_entity_decode() in my /markdown templates.

[yassine-kessal]

This is a security prevention!

The simplest solution is to edit {{ $line }} by this following syntax : {!! $line !!} in resources/views/vendor/notifications/email.blade.php After having done php artisan vendor:publish --tag=laravel-notifications, because the {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks.

Be sure of what you are doing because you are open to attack XSS if you receive the data of the user and you send them directly to the notification