EM tags where they shouldn't be
archetwist - November 27, 2006 - 13:01
| Project: | Drupal |
| Version: | 5.0-beta1 |
| Component: | contact.module |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
A bug of the same kind has already been reported in this issue. I've found more of this in the contact module (see attached patch). The problem is that user receives a plain-text e-mail with HTML tags.
| Attachment | Size |
|---|---|
| contact.module.no.em.patch | 1.54 KB |
#1
watchdog('mail', t('!name-from sent an e-mail regarding !category.', array('!name-from' => $form_values['name'] ." <$from>", '!category' => $contact->category)));This is a potential XSS hole. watchdog needs checkplained input.
#2
Let me rephrase that, it is a cross site scripting hole.
Can you check whether the issue still applies to the latest development version of Drupal?
#3
It seems it doesn't. I've sent a test e-mail through the contact module and there are no tags in the message. I guess this issue can be closed.
#4
#5
I applied the patch, and still get the tags on the subject line and the Submitted by lines.
:(