Should serializeValue() escape Strings that are submitted to the system before sending it out via email?
Just honestly wondering if this is a real issue and if yes where to deal with it. I tested submitting a textfield with html formatted text (<hr>, <a href="test.com">bla</a>) and the (html) email that came back to me, where I just dump the string from serializeFormElements(...) had those elements formatted. Thus I thought huh, someone might put malicious stuff in there and trick my admins/editors receiving the same mail.
I was thinking that serializeValue() for every FormElement should take care to escape the value, since this method is specifically there to serialize for Email usage.
I would probably store the data un-escaped in my DB and deal with escaping when rendering the info on my administration view.
edit: hm lol have to explicitly escape my examples here.. (does that mean it's generally harmless? or does github filter html that's a non-issue..)
Should serializeValue() escape Strings that are submitted to the system before sending it out via email?
Just honestly wondering if this is a real issue and if yes where to deal with it. I tested submitting a textfield with html formatted text (
<hr>, <a href="test.com">bla</a>
) and the (html) email that came back to me, where I just dump the string from serializeFormElements(...) had those elements formatted. Thus I thought huh, someone might put malicious stuff in there and trick my admins/editors receiving the same mail.I was thinking that serializeValue() for every FormElement should take care to escape the value, since this method is specifically there to serialize for Email usage.
I would probably store the data un-escaped in my DB and deal with escaping when rendering the info on my administration view.
edit: hm lol have to explicitly escape my examples here.. (does that mean it's generally harmless? or does github filter html that's a non-issue..)