From 11419f99140e13688a9613cab3ee03f8d3cbae45 Mon Sep 17 00:00:00 2001
From: Adam Cooke <adam@krystal.io>
Date: Sun, 1 Feb 2026 14:48:54 +0000
Subject: [PATCH] fix(deliveries): escape delivery details to prevent HTML
 injection

---
 app/helpers/application_helper.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index c6acf45..52106ad 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -3,6 +3,7 @@
 module ApplicationHelper
 
   def format_delivery_details(server, text)
+    text = h(text)
     text.gsub!(/<msg:(\d+)>/) do
       id = ::Regexp.last_match(1).to_i
       link_to("message ##{id}", organization_server_message_path(server.organization, server, id), class: "u-link")