Merge pull request #531 from edegaudenzi/feature/530_welcome_email_reported_password_is_not_html_encoded

#530 Welcome email: reported Password is now HTML-encoded

CHANGELOG.md

@@ -7,6 +7,7 @@
 - Enh: possibility to limit the depth of the recursion when getting user ids from roles (mp1509)
 - Fix: UserSearch avoid fields name conflict if joined with other tables (liviuk2)
 - Fix: PasswordExpireService return false when user model attribute "password_changed_at" is already set at null.
+- Fix #530: Welcome email: reported Password is now HTML-encoded
 
 ## 1.6.1 March 4th, 2023
 

src/User/resources/views/mail/welcome.php

@@ -27,7 +27,7 @@ use yii\helpers\Url;
 <p style="font-family: 'Helvetica Neue', 'Helvetica', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 1.6; font-weight: normal; margin: 0 0 10px; padding: 0;">
     <?= Yii::t('usuario', 'Your account on {0} has been created', Yii::$app->name) ?>.
     <?php if ($showPassword || $module->generatePasswords): ?>
-        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= $user->password ?></strong>
+        <?= Yii::t('usuario', 'We have generated a password for you') ?>: <strong><?= Html::encode($user->password) ?></strong>
     <?php endif ?>
     <?php if ($module->allowPasswordRecovery): ?>
         <?= Yii::t('usuario', 'If you haven\'t received a password, you can reset it at') ?>: <strong><?= Html::a(Html::encode(Url::to(['/user/recovery/request'], true)), Url::to(['/user/recovery/request'], true)) ?></strong>