Closed (fixed)
Project:
Drupal core
Version:
5.0-beta1
Component:
contact.module
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
27 Nov 2006 at 13:01 UTC
Updated:
31 Jul 2007 at 19:35 UTC
A bug of the same kind has already been reported in this issue. I've found more of this in the contact module (see attached patch). The problem is that user receives a plain-text e-mail with HTML tags.
| Comment | File | Size | Author |
|---|---|---|---|
| contact.module.no.em.patch | 1.54 KB | archetwist |
Comments
Comment #1
heine commentedThis is a potential XSS hole. watchdog needs checkplained input.
Comment #2
heine commentedLet me rephrase that, it is a cross site scripting hole.
Can you check whether the issue still applies to the latest development version of Drupal?
Comment #3
archetwist commentedIt seems it doesn't. I've sent a test e-mail through the contact module and there are no tags in the message. I guess this issue can be closed.
Comment #4
webchickComment #5
fuzzie commentedI applied the patch, and still get the tags on the subject line and the Submitted by lines.
:(