We have a very simple implementation of eForm that sends a basic "contact us" email as plain text. We've been using this for years without any (known) issues.
I recently updated our site from Evo 1.0.3 to 1.0.13 due to the AjaxSearch vulnerability. There were a few issues with the upgrade which I managed to iron out, but one side effect that I haven't been able to resolve is that eForm email reports are now being sent with special characters converted to HTML entities. This is because of the following in the "formMerge" function:
// prevent XSS for formfields
if (isset($fld)) {
$value = htmlspecialchars($value, ENT_QUOTES, $modx->config['modx_charset']);
}
If I comment this out, special characters are not converted and the emails look fine, but obviously I don't want to introduce a vulnerability.
Is it possible for us to safely send eForm reports as plain text without converting the special characters?
[ed. note: don juan last edited this post 9 years, 10 months ago.]
