JorinHakai
commented
2 years ago @n-a-t-e Are we worried about this, or shall we close? The field on the frontend already has a regex requiring that the submitted data is an email address, should we check the value in the back explicitly, or is it checked by default?
n-a-t-e
We allow for entry of data into the download request email field. Most users will only enter email addresses, but an attacker may attempt to run code server-side through this field. May want to check if we need to sterilize that entry before sending the request to the server to prevent code-injection attacks. Perhaps this is already handled by the api/server?