Hello
WPForms-Team,
your plugin tries to sanitize HTML-Strings, although it is still be
possible to inject HTML an other stuff, which is sent to recipients.
A link
An image:
|
## Solution
Instead of sanitizing once using the sanitize_text_field, this function
could be imlemented in a recursive loop until there is no change of the
message.
In case of allowed html tags, the form could use a correct escaping
before sending an email to prevent an attacker to use html.
## References
[aramido responsible disclosure
policy](https://aramido.de/blog/Sicherheitshinweise)
## Authors
Andreas Sperber, aramido GmbH
E-mail: andreas.sperber@aramido.de
PGP-Key: https://aramido.de/andreas.sperber.asc
PGP-Fingerprint: FC84 BB4D 696D F04C E1A1 2BED 7518 A24A 06B9 BEA7
Benjamin Pokrant, aramido GmbH
E-mail: benjamin.pokrant@aramido.de
PGP-Key: https://aramido.de/benjamin.pokrant.asc
PGP-Fingerprint: 2993 0EE2 3A41 86E1 9C97 72F4 24E2 4AE1 403E 1651
## Disclaimer
The information provided in this advisory is provided "as is" without
any warranty. Details of this security advisory may be updated in order
to provide as accurate information as possible. The latest version of
this security advisory is available on the aramido web site. aramido
GmbH disclaims all warranties, either expressed or implied, including
the warranties of merchantability and capability for a particular
purpose. aramido GmbH or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages, even if aramido GmbH or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases or trade with
fraud/stolen material.
## Copyright
CC-BY-4.0
http://creativecommons.org/licenses/by/4.0/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEPW1SqILXQdSB6cMt8r3/fQu+GBMFAl6yq3AACgkQ8r3/fQu+
GBOMbw//ebCiiNqNjnpuC7BO73jB+ZMiLSsLvbTjSEPBEPlL+BPUuxzJShKpWpis
QXMQuDEnqh+K4bPiN50LzW/cgCb92RIgN2QER/6T9XbJAeSCHRPSm+OgFzG+XIv1
HY/lLbEF+ZVYzcJ+VXf/yYfPtVSXd5c/vPooZqCGkBNMjYBxXRHUMp5u3dachrXr
zs0ukBqKWkgakF94e2zK0E68HagAztTz4gsV5O102NBnVDWq3Z1LqulweVyIWVSk
BzvC+U8CRqGwN/v7Rs+UFJ5IQdgvswplA2Wy68A2xElvLo6IlbSytetRJSK7iORx
9W3wTP4XA/BCoGCiMKtpyoAvkW0rZn+Yk9J3xiOpG23+Ge950OnXUrkZRkUq/aVb
KObFJIKzZtMHFtyrE1K43mK1VS+sRYH4GhC0T1DOnclGp6bd3FL2E2aBlKGxldym
zohZ4wCvcQnhG/4P7+NcPQEdOAc3hbVxaY4A9PeVpwYf/U4JwmTSd8TDYBSVSrkx
GAOF/KECuDj+KXm/5LyiVsZVZdCrt6IA7zcJIZnbCFDClh9RmMTulTUmXY4Edge9
DMhpHJCFPKfRVfRQTwuTAnkJIhkwJFpluTm5KJOtKGRKzUPgL8XNGKz8MuEew8ge
eIKZk/gjuYm8l7pYUd3C1NP0JhLi8J3Sy5bNzzrMBImTir2jBeM=
=2pFl
-----END PGP SIGNATURE-----