I have discovered that in emails any html code in the topic name appears as styled html in the email. I would suggest using htmlentities on the subject in the email updates. Just thought I would let you know of this security risk.

Please send me an example??

Well subscribe to the thread at the following link then make a reply to that thread then you will see the <div> in the title will not appear in the email. It will actually execute the div code making a div box.

Can you take a screenshot for me?

Attached to this post is a screenshot of the email and the <div> in the topic title doesn't appear in the email link title and instead appears as a actual <div> field.

Thanks for the catch! Fixed. :)

Gah! I spoke too soon ... :(

Can you let me know if this has been fixed?

I just got a reply from thread260244 and the only problem which I don't think can be solved is that although it is fine in webmail, in email clients, the html entities show in the title of the email. So yea looks like it is solved. If you subscribe to my other thread I can reply to it and ya can see what has been going on.

I'd rather it be double escaped than unescaped and vulnerable.

Now you mention it that is a great reason for the title to be escaped. All is now good so I shall mark this topic solved.

I'd rather it be double escaped than unescaped and vulnerable.