fix: email link format for administrator contact

[odaysec]

Directly writing an uncontrolled stored value (a database field) to a webpage, without properly sanitizing the value first, allows for a cross-site scripting vulnerability. This kind of vulnerability is also called stored cross-site scripting, to distinguish it from other types of cross-site scripting.

CWE-79
CWE-116

In general, to fix this kind of problem, avoid constructing complex HTML or URI strings by interpolating untrusted stored values. Instead, pass untrusted data as separate, escaped arguments to helpers that will handle proper encoding, and/or sanitize or normalize the data before use.

For this specific view, we should stop building the full mailto:"Name" <email> string ourselves. Instead:

• Use mailto: plus the raw email address as the href, which should be safe when escaped.
• Move the owner.name into the subject or body query parameter if desired, but encoded via Rack::Utils.build_query or similar, not string interpolation.
• Ensure the title attribute uses owner.name directly so Rails will HTML-escape it as an attribute value, rather than embedding it inside the href string.

Because we can only edit app/views/accounts/_help_contact.html.erb, the minimal safe change is: replace the interpolated "mailto:\"#{owner.name}\" <#{owner.email_address}>" with a simple "mailto:#{owner.email_address}". This keeps the existing functionality (it still opens a mail client to email the administrator) while removing the untrusted owner.name from the href string, eliminating the tainted data in the URI construction. The existing title: "Email #{owner.name}" remains; Rails will HTML-escape it.

Concretely:

• In app/views/accounts/_help_contact.html.erb, on line 3, replace the first argument to link_to with "mailto:#{owner.email_address}".