A bug of the same kind has already been reported in this issue. I've found more of this in the contact module (see attached patch). The problem is that user receives a plain-text e-mail with HTML tags.

CommentFileSizeAuthor
contact.module.no.em.patch1.54 KBarchetwist

Comments

heine’s picture

Status: Active » Needs work
watchdog('mail', t('!name-from sent an e-mail regarding !category.', array('!name-from' => $form_values['name'] ." <$from>", '!category' => $contact->category)));

This is a potential XSS hole. watchdog needs checkplained input.

heine’s picture

Let me rephrase that, it is a cross site scripting hole.

Can you check whether the issue still applies to the latest development version of Drupal?

archetwist’s picture

It seems it doesn't. I've sent a test e-mail through the contact module and there are no tags in the message. I guess this issue can be closed.

webchick’s picture

Status: Needs work » Closed (fixed)
fuzzie’s picture

I applied the patch, and still get the tags on the subject line and the Submitted by lines.
:(