Switch to default-escaped in templates.

This means any variable used in a template is automatically
HTML-escaped, unless it is marked as safe either in code by
using a SafeString, or in the template with the `mark_safe`
function or the `safe` filter.

1 files changed, 4 insertions, 2 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Contact.pm b/perllib/FixMyStreet/App/Controller/Contact.pm
index 8477dd694..9ce89a9e2 100644
--- a/perllib/FixMyStreet/App/Controller/Contact.pm
+++ b/perllib/FixMyStreet/App/Controller/Contact.pm
@@ -7,6 +7,7 @@ BEGIN { extends 'Catalyst::Controller'; }
 use MIME::Base64;
 use mySociety::EmailUtil;
 use FixMyStreet::Email;
+use FixMyStreet::Template::SafeString;
 
 =head1 NAME
 
@@ -253,8 +254,9 @@ generally required to stash
 sub setup_request : Private {
     my ( $self, $c ) = @_;
 
-    $c->stash->{contact_email} = $c->cobrand->contact_email;
-    $c->stash->{contact_email} =~ s/\@/@/;
+    my $email = $c->cobrand->contact_email;
+    $email =~ s/\@/@/;
+    $c->stash->{contact_email} = FixMyStreet::Template::SafeString->new($email);
 
     for my $param (qw/em subject message/) {
         $c->stash->{$param} = $c->get_param($param);