Is it possible for users to type malicious code in the invite textarea?
Addge - September 1, 2009 - 16:09
| Project: | Invite |
| Version: | 6.x-2.0-alpha1 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Addge |
| Status: | closed |
Jump to:
Description
Hi,
Thanks a lot for this great module.
As I am working on the website www.addge.com, I came to think about whether is it possible for web users to key in malicious code in the invitee textarea field provided by the invite module?
As a simple test, I tried to execute some php code in my invitee textarea field on my site and found that php code are removed from the output of the mail sent to the invitee's email address. So, the invite.module seems to be quite safe here.
However, I would like to ask if any other users have the same concerns as me or if there are other vulnerabilities here I overlooked?
#1
Invite only ever sends plain text e-mails. It doesn't matter what script code they may contain, as it will never be executed.