From 5414cc67ab7b223c116c210cd2fc40821bbc86ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Ba=C4=8Do?= <matejbaco2000@gmail.com>
Date: Mon, 23 Feb 2026 12:54:20 +0100
Subject: [PATCH] Finalize html encoding rework

---
 .../Services/Projects/ProjectsConsoleClientTest.php   | 11 ++++++-----
 tests/e2e/Services/Teams/TeamsCustomClientTest.php    |  6 ++++--
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/tests/e2e/Services/Projects/ProjectsConsoleClientTest.php b/tests/e2e/Services/Projects/ProjectsConsoleClientTest.php
index 14e310ff97..5f6982b7d7 100644
--- a/tests/e2e/Services/Projects/ProjectsConsoleClientTest.php
+++ b/tests/e2e/Services/Projects/ProjectsConsoleClientTest.php
@@ -6662,7 +6662,7 @@ class ProjectsConsoleClientTest extends Scope
 
         $this->assertStringContainsString($expectedUrl, $lastEmail['html']);
 
-        // With injection
+        // With injection (allowed, meant to be protected client-side)
         $url = 'http://localhost/auth/signin\"></a><h1>INJECTED</h1>';
 
         $response = $this->client->call(
@@ -6690,11 +6690,12 @@ class ProjectsConsoleClientTest extends Scope
         $this->assertEquals('Password Reset for ' . $this->getProject()['name'], $lastEmail['subject']);
 
         $this->assertStringContainsString('INJECTED', $lastEmail['html']);
-        $this->assertStringNotContainsString('<h1>', $lastEmail['html']);
-        $this->assertStringNotContainsString('</h1>', $lastEmail['html']);
+        $this->assertStringContainsString('<h1>', $lastEmail['html']);
+        $this->assertStringContainsString('</h1>', $lastEmail['html']);
+        $this->assertStringContainsString('">', $lastEmail['html']);
+        $this->assertStringContainsString('</a>', $lastEmail['html']);
 
-        $sanitizedUrl = \htmlentities($url);
-        $expectedUrl = $sanitizedUrl . "?userId=" . $userId . "&secret=";
+        $expectedUrl = $url . "?userId=" . $userId . "&secret=";
         $this->assertStringContainsString($expectedUrl, $lastEmail['html']);
 
     }
diff --git a/tests/e2e/Services/Teams/TeamsCustomClientTest.php b/tests/e2e/Services/Teams/TeamsCustomClientTest.php
index 6dbead76db..973e64a62e 100644
--- a/tests/e2e/Services/Teams/TeamsCustomClientTest.php
+++ b/tests/e2e/Services/Teams/TeamsCustomClientTest.php
@@ -157,9 +157,11 @@ class TeamsCustomClientTest extends Scope
             'testTeamsInviteHTMLInjection' => $email
         ], JSON_PRETTY_PRINT));
 
-        $encoded = 'http://localhost:5000/join-us\&quot;&gt;&lt;/a&gt;&lt;h1&gt;INJECTED&lt;/h1&gt;?';
 
-        $this->assertStringNotContainsString('<h1>INJECTED</h1>', $email['html']);
+        // injection allowed, meant to be protected client-side
+        $encoded = 'http://localhost:5000/join-us\"></a><h1>INJECTED</h1>';
+
+        $this->assertStringContainsString('<h1>INJECTED</h1>', $email['html']);
         $this->assertStringContainsString($encoded, $email['html']);
 
         $response = $this->client->call(Client::METHOD_DELETE, '/teams/' . $teamUid . '/memberships/'.$response['body']['$id'], array_merge([