password reset emails with user+label@host are not correctly URL-encoded
#15151
Assignees
Labels
bug risk
Prone to bugs
Comments
defelmnq
pushed a commit
that referenced
this issue
Oct 23, 2024
Fixes #15151 This runs `urlencode` (provided by `text/template`) on the email address in the link. This ensures the link will work if a user has an email in the form `user+label@example.com`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Relates to #14232
After creating a test password reset for a user with email of the form
user+label@host, I noticed that the password reset URL was of the formhttps://<coder-url>/reset-password/change?otp=<random>&email=user+label@host.This leads to the form not working properly due to the
+being interpreted as a space (We should ensure that any inputs to the password reset URL are URL-encoded.
The text was updated successfully, but these errors were encountered: