I have discovered that in emails any html code in the topic name appears as styled html in the email. I would suggest using htmlentities on the subject in the email updates. Just thought I would let you know of this security risk.

8 Years
Discussion Span
Last Post by cwarn23

Attached to this post is a screenshot of the email and the <div> in the topic title doesn't appear in the email link title and instead appears as a actual <div> field.


I just got a reply from thread260244 and the only problem which I don't think can be solved is that although it is fine in webmail, in email clients, the html entities show in the title of the email. So yea looks like it is solved. If you subscribe to my other thread I can reply to it and ya can see what has been going on.


Now you mention it that is a great reason for the title to be escaped. All is now good so I shall mark this topic solved.

I'd rather it be double escaped than unescaped and vulnerable.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.