From 74fecd887d021b5b388f8bf2d1a20955daca6722 Mon Sep 17 00:00:00 2001
From: Vasilis The Pikachu <vasilis@pikachu.systems>
Date: Wed, 26 Nov 2025 20:45:38 +0100
Subject: [PATCH] Do not encode URL in href for verification/password reset

Encoding should only happen if we show the URL as text. Due to & being reserved by html (https://www.w3schools.com/html/html_entities.asp), it gets converted to "amp;" which some email clients (and rider) take litterly instead of decoding it to the right perams.

Encoding should only happen if we are showing the link itself, as such i provided an extra link below just in case.
---
 SS14.Auth.Shared/ModelShared.cs                       | 10 ++++++----
 .../Identity/Pages/Account/ExternalLogin.cshtml.cs    |  5 ++---
 .../Identity/Pages/Account/Manage/Email.cshtml.cs     | 11 +++--------
 3 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/SS14.Auth.Shared/ModelShared.cs b/SS14.Auth.Shared/ModelShared.cs
index b85bf6b..155367e 100644
--- a/SS14.Auth.Shared/ModelShared.cs
+++ b/SS14.Auth.Shared/ModelShared.cs
@@ -11,7 +11,8 @@ public static class ModelShared
     public static async Task SendConfirmEmail(IEmailSender sender, string address, string confirmLink)
     {
         await sender.SendEmailAsync(address, "Confirm your Space Station 14 account",
-            $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(confirmLink)}'>clicking here</a>.");
+            $"Please confirm your account by <a href='{confirmLink}'>clicking here</a>." +
+            $"\n<p><small>If the above link is not working, try this one {HtmlEncoder.Default.Encode(confirmLink)}</small></p>");
     }
 
     public static async Task SendResetEmail(IEmailSender emailSender, string email, string callbackUrl)
@@ -19,12 +20,13 @@ public static async Task SendResetEmail(IEmailSender emailSender, string email,
         await emailSender.SendEmailAsync(
             email, "Reset Password",
             "A password reset has been requested for your account.<br />" +
-            $"If you did indeed request this, <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>click here</a> to reset your password.<br />" +
-            "If you did not request this, simply ignore this email.");
+            $"If you did indeed request this, <a href='{callbackUrl}'>click here</a> to reset your password.<br />" +
+            "If you did not request this, simply ignore this email." +
+            $"\n<p><small>If the above link is not working, try this one {HtmlEncoder.Default.Encode(callbackUrl)}</small></p");
     }
 
     public static SpaceUser CreateNewUser(string userName, string email, ISystemClock systemClock)
     {
         return new SpaceUser {UserName = userName, Email = email, CreatedTime = systemClock.UtcNow};
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
index 50299b1..2244b31 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/ExternalLogin.cshtml.cs
@@ -139,8 +139,7 @@ public async Task<IActionResult> OnPostConfirmationAsync(string returnUrl = null
                         values: new { area = "Identity", userId = userId, code = code },
                         protocol: Request.Scheme);
 
-                    await _emailSender.SendEmailAsync(Input.Email, "Confirm your email",
-                        $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>.");
+                    await ModelShared.SendConfirmEmail(_emailSender, Input.Email, callbackUrl);
 
                     // If account confirmation is required, we need to show the link if we don't have a real email sender
                     if (_userManager.Options.SignIn.RequireConfirmedAccount)
@@ -163,4 +162,4 @@ await _emailSender.SendEmailAsync(Input.Email, "Confirm your email",
         ReturnUrl = returnUrl;
         return Page();
     }
-}
\ No newline at end of file
+}
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
index 15349d5..6ebc87d 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/Email.cshtml.cs
@@ -6,6 +6,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.AspNetCore.WebUtilities;
+using SS14.Auth.Shared;
 using SS14.Auth.Shared.Data;
 using SS14.Auth.Shared.Emails;
 
@@ -100,10 +101,7 @@ public async Task<IActionResult> OnPostChangeEmailAsync()
                 pageHandler: null,
                 values: new { userId = userId, email = Input.NewEmail, code = code },
                 protocol: Request.Scheme);
-            await _emailSender.SendEmailAsync(
-                Input.NewEmail,
-                "Confirm your email",
-                $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>.");
+            await ModelShared.SendConfirmEmail(_emailSender, Input.NewEmail, callbackUrl);
             await _logManager.LogAndSave(user, new AccountLogEmailChangeRequested(email, Input.NewEmail));
 
             StatusMessage = "Confirmation link to change email sent. Please check your email.";
@@ -137,10 +135,7 @@ public async Task<IActionResult> OnPostSendVerificationEmailAsync()
             pageHandler: null,
             values: new { area = "Identity", userId = userId, code = code },
             protocol: Request.Scheme);
-        await _emailSender.SendEmailAsync(
-            email,
-            "Confirm your email",
-            $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>.");
+        await ModelShared.SendConfirmEmail(_emailSender, email, callbackUrl);
 
         StatusMessage = "Verification email sent. Please check your email.";
         return RedirectToPage();