Posted by Addge on September 1, 2009 at 4:09pm
Jump to:
| Project: | Invite |
| Version: | 6.x-2.0-alpha1 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Addge |
| Status: | closed (fixed) |
Issue Summary
Hi,
Thanks a lot for this great module.
As I am working on the website www.addge.com, I came to think about whether is it possible for web users to key in malicious code in the invitee textarea field provided by the invite module?
As a simple test, I tried to execute some php code in my invitee textarea field on my site and found that php code are removed from the output of the mail sent to the invitee's email address. So, the invite.module seems to be quite safe here.
However, I would like to ask if any other users have the same concerns as me or if there are other vulnerabilities here I overlooked?
Comments
#1
Invite only ever sends plain text e-mails. It doesn't matter what script code they may contain, as it will never be executed.