# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-06-20 17:09:02
# Node ID fcaa19d486e811da07ff41608fdad7583cfed595
# Parent  fdf0761cfc0185d7885c04d86f880427696012d7

security: don't use literal in notifications.

- exposes security problems
- we don't store any html anyway in the subject

diff --git a/rhodecode/templates/admin/notifications/show_notification.mako b/rhodecode/templates/admin/notifications/show_notification.mako
--- a/rhodecode/templates/admin/notifications/show_notification.mako
+++ b/rhodecode/templates/admin/notifications/show_notification.mako
@@ -9,7 +9,7 @@
 </%def>
 
 <%def name="breadcrumbs_links()">
-    ${h.link_to(_('Notifications'),h.url('notifications'))}
+    ${h.link_to(_('Notifications'), h.url('notifications'))}
     &raquo;
     ${_('Show notification')}
 </%def>
@@ -23,11 +23,6 @@
     <!-- box / title -->
     <div class="title">
         ${self.breadcrumbs()}
-        ##<ul class="links">
-        ##    <li>
-        ##      <span ><a href="#">${_('Compose message')}</a></span>
-        ##    </li>
-        ##</ul>
     </div>
     <div class="table">
       <div id="notification_${c.notification.notification_id}" class="main-content-full">
@@ -41,7 +36,9 @@
           </div>
         </div>
         <div class="notification-body">
-        <div class="notification-subject">${h.literal(c.notification.subject)}</div>
+        <div class="notification-subject">
+            <h3>${_('Subject')}: ${c.notification.subject}</h3>
+        </div>
         %if c.notification.body:
             ${h.render(c.notification.body, renderer=c.visual.default_renderer, mentions=True)}
         %endif