Always remove hash part from URL when detecting the script name (#18204)

* Always remove hash part from URL when detecting the script name

* use mb_ string methods

* also escape ip

* fix login ui test

2 files changed, 5 insertions, 2 deletions

diff --git a/plugins/Login/PasswordResetter.php b/plugins/Login/PasswordResetter.php
index b71b846a1b..db93ddc2b9 100644
--- a/plugins/Login/PasswordResetter.php
+++ b/plugins/Login/PasswordResetter.php
@@ -446,7 +446,7 @@ class PasswordResetter
         $bodyText = '<p>' . str_replace(
                 "\n\n",
                 "</p><p>",
-                Piwik::translate('Login_MailPasswordChangeBody2', [Common::sanitizeInputValue($login), $ip, $url])
+                Piwik::translate('Login_MailPasswordChangeBody2', [Common::sanitizeInputValue($login), Common::sanitizeInputValue($ip), Common::sanitizeInputValue($url)])
             ) . "</p>";
         $mail->setWrappedHtmlBody($bodyText);
 
diff --git a/plugins/Login/tests/UI/Login_spec.js b/plugins/Login/tests/UI/Login_spec.js
index 968bea18eb..dbbb4f326a 100644
--- a/plugins/Login/tests/UI/Login_spec.js
+++ b/plugins/Login/tests/UI/Login_spec.js
@@ -162,6 +162,9 @@ describe("Login", function () {
             throw new Error(`Could not find reset URL in email, captured mail info: ${fileContents}`)
         }
         resetUrl = resetUrl[0].replace(/<\/p>$/, '');
+        resetUrl = await page.evaluate((resetUrl) => {
+            return piwikHelper.htmlDecode(resetUrl);
+        }, resetUrl);
 
         await page.goto(resetUrl);
         await page.waitForNetworkIdle();
@@ -291,4 +294,4 @@ describe("Login", function () {
 
         expect(await page.getWholeCurrentUrl()).to.equal("https://matomo.org/security/");
     });
-});
\ No newline at end of file
+});