Markdown Mailables converting markup to ascii codes

[karlatascent]

Laravel Version

11.44.3

PHP Version

8.2

Database Driver & Version

No response

Description

After updating our codebase to use v11.44.3 this morning, we started getting reports of emails being malformed and displaying the raw html code instead of the rendered html code. After some investigating we found that this was caused by something in the v11.44.3 update. We were able to fix by downgrading back to v11.44.2, but that's not a great long-term solution. Here's a couple screenshots showing an example:

Steps To Reproduce

Send a markdown mailable using v11.44.3.

[crynobone]

Hi there,

Does your application export/use custom markdown mail template? If so you need to update all default and named slot from {{ $slot }} to {!! $slot !!}} and only use {{ }} when dealing with user's input such as <p>Hello {{ $user->name }}</p>.

The security fix introduce to prevent malicious script from being injected via user input in markdown email.

[MrKacmaz]

PHP Version

8.3.19

Hi @crynobone,
We’ve updated to v11.44.4, but the issue still persists.

We're using a custom markdown email setup with resources/views/vendor/mail/html/themes/default.css and Blade templates for emails. Here's a simplified example of what our email content looks like:

// resources/views/emails/foo.blade.php

@component('mail::message')

@foreach ($array as $item)
    <b>{{ __('mail.foo') }}:</b> {{ $item['foo'] }}<br>
    <b>{{ __('mail.bar') }}:</b> {{ $item['bar'] }}<br><br>
@endforeach

{{ __('mail.foo') }},<br>
{{ config('app.name') }}
@endcomponent

After the update, the emails are displaying raw HTML instead of rendering properly. Downgrading to v11.44.2 resolves the issue.

Is this the expected behavior now, and should we replace all {{ $slot }}-style outputs with {!! $slot !!} in these templates? Or is there a safer workaround we should consider?

[stefvanesch]

We have the same issue on v11.44.3 and v11.44.4. v11.44.2 works fine.

[jbajou]

Same here, and we didn't catch it before deploying to production. We got a couple of hours of HTML emails not rendered properly.

The problem comes from this PR: #54737

This is a breaking change for anyone using a custom markdown email setup. The solution offered by @crynobone works totally fine and should be considered the way to go from v11.44.3 and on.

[crynobone]

11.44.5 has been released to revert the default. However, when dealing with markdown emails generated with generic user input values such as name, addresses etc, it is best to change the template and enable Illuminate\Mail\Markdown::withSecuredEncoding();; as {{ }} doesn't offer any protection against markdown texts

[stefvanesch]

@crynobone should this be working out of the box? I’ve updated to 11.44.5 and still have the same issue. Reverting to 11.44.2 resolves the issue for me.

[jbajou]

Same here! The patch 5 makes us send escaped html when using {{ $slot }}

[stephenjude]

Thanks for the workaround @crynobone

[jbajou]

I just tested deeper, 11.44.5 doesn't revert things as they were pre 11.44.3 contrary to the above mention - we still need to escape the slot like this: {!! $slot !}}

I strongly think this issue should be reopened (and we should stop playing around with patches while these are breaking changes for anyone using custom markdown email templates)

[crynobone]

@jbajou Hey there, thanks for reporting this issue.

We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here?

Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up.

laravel new bug-report --github="--public"

Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue.

Thanks!