Member Avatar for cwarn23

I have discovered that in emails any html code in the topic name appears as styled html in the email. I would suggest using htmlentities on the subject in the email updates. Just thought I would let you know of this security risk.

  • 2 Contributors
  • 11 Replies
  • 67 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by cwarn23

Recommended Answers

All 11 Replies

Member Avatar for cwarn23

Well subscribe to the thread at the following link then make a reply to that thread then you will see the <div> in the title will not appear in the email. It will actually execute the div code making a div box.
http://www.daniweb.com/forums/thread260244.html

Member Avatar for cwarn23

Attached to this post is a screenshot of the email and the <div> in the topic title doesn't appear in the email link title and instead appears as a actual <div> field.

divproblem.bmp (727.08 KB)
Member Avatar for Dani

Can you let me know if this has been fixed?

Member Avatar for cwarn23

I just got a reply from thread260244 and the only problem which I don't think can be solved is that although it is fine in webmail, in email clients, the html entities show in the title of the email. So yea looks like it is solved. If you subscribe to my other thread I can reply to it and ya can see what has been going on.

Member Avatar for Dani

I'd rather it be double escaped than unescaped and vulnerable.

Member Avatar for cwarn23

Now you mention it that is a great reason for the title to be escaped. All is now good so I shall mark this topic solved.

I'd rather it be double escaped than unescaped and vulnerable.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.