• Resolved mlchrt

    (@mlchrt)


    Hi there,
    today I noticed, that from any text-input HTML get’s parsed and displayed in the response e-mails which could be a security risk. So if a user enters <a href="example.com">Click here</a> into a form submission text field, it is rendered as a link in the e-mail response. Anyway to disable this?
    Thanks!

    • This topic was modified 2 years, 9 months ago by mlchrt.
Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Support Imran – WPMU DEV Support

    (@wpmudev-support9)

    Hello @mlchrt !

    I hope you’re doing great!

    I’ve tested that on my test site but wasn’t able to replicate the issue – the value has been stripped of all HTML as it should be.

    Some questions:
    – Are you using the latest version of the plugin?
    – Does this also happen when all other plugins are deactivated?

    Additionally, as we treat all such reports with priority, can you export the form where this is happening and share it with us so we can check it further?

    How to export: https://wpmudev.com/docs/wpmu-dev-plugins/forminator/#import-export

    After exporting, please share the code using a service such as https://pastebin.com (free)

    Please always make sure to use such service to share the code and don’t post the code here directly as it will most likely be unusable.

    Best regards,
    Pawel

    Thread Starter mlchrt

    (@mlchrt)

    Hi,
    thanks for the quick response. I’m running Version 1.16.2 and in my case all text-areas are passing the html not stripped instead in the response emails a link for example is just displayed fine as a link. Had not the chance to test <script> or tags but this could really be an issue. I’m currently not able to share a sample form code but i tried this earlier today with a form set up already. All other plugins disabled.

    • This reply was modified 2 years, 9 months ago by mlchrt. Reason: Added info
    Plugin Support Nebu John – WPMU DEV Support

    (@wpmudevsupport14)

    Hi @mlchrt,

    I am afraid, as we weren’t able to replicate the issue at our end, we need to take a closer look at the form that you noticed an issue with.

    Could you please share an export of the form as requested in our previous response to debug this issue as soon as possible?

    Best Regards,
    Nebu John

    Thread Starter mlchrt

    (@mlchrt)

    Hey there,
    it still happens everytime, cause the e-mail is send as an HTML-Email so every client parses HTML in the text as usal e-mail contents. Here is the a quick sample form: https://pastebin.com/T3D9HuhP (PW:buqyuNQVrf) and if you know paste for example <a href="https://www.w3schools.com/">Visit W3Schools.com!</a> in the textfield it will be rendered as a link in the recipet e-mail to the admin. The HTML is not stripped in the text field nor in the text-area while being processed.

    Plugin Support Imran – WPMU DEV Support

    (@wpmudev-support9)

    Hello @mlchrt !

    Just a quick update to let you know that I’ve requested a snippet from our Second Line Support team to fix this issue for now. We’ll share it here as soon as it’s ready.

    Kind regards,
    Pawel

    Plugin Support Nithin – WPMU DEV Support

    (@wpmudevsupport11)

    Hi @mlchrt,

    On checking further it seems like the issue is more specific when you use individual macro fields inside the email notifications ie {textarea-1}

    When you use {all_fields} then it works fine when tested.

    To get it to work with your current setup, you can try this snippet:

    <?php
    
    add_filter( 'forminator_prepared_data', 'wpmudev_strip_textarea_html', 10, 2 );
    function wpmudev_strip_textarea_html( $prepared_data, $module_object ){
    	if( $module_object->id != 2235 ){
    		return $prepared_data;
    	}
    
    	foreach( $prepared_data as $key => $value ){
    		if(	strpos( $key, 'textarea' ) !== false ){
    			if( $value ){
    				$prepared_data[ $key ] = wp_strip_all_tags( $value );
    			}
    		}
    	}
    
    	return $prepared_data;
    }

    You’ll need to update the following line in the above code with your Form ID, ie support your form ID is 123, the above line ie:

    	if( $module_object->id != 2235 ){
    

    Will change to:

    	if( $module_object->id != 123 ){
    

    You can implement the above code as a mu-plugins. Please check this link on how to implement the above code as a mu-plugins:
    https://wpmudev.com/docs/using-wordpress/installing-wordpress-plugins/#installing-mu-plugins

    Kind Regards,
    Nithin

    Thread Starter mlchrt

    (@mlchrt)

    Hi Nithin,
    thanks for your response. Sadly this doesn’t fix the problem. I did everything you told me above. Created a mu-plugins folder placed a file named formfix.php inside and copied the code above with the edited form id. Sadly the text-areas are still rendered as html. This applies also to text-inputs without valdidation. And yes you’re right, I’m not using all-fields, I’m adding each form piece through a shortcode in the e-mail notification tab. I’m sadly getting no results with the code above. How can I test if the mu-plugins are being executed?
    Thanks for your outstanding help

    Plugin Support Nebu John – WPMU DEV Support

    (@wpmudevsupport14)

    Hi @mlchrt,

    I checked and confirmed the code is working as expected on a test website at my end. Can you please share the following to look closely at issue?

    1) URL to the page where you have placed the form.
    2) The modified code that you have added.
    2) File path of where you have added the code.

    We will be looking forward to hearing back from you.

    Kind Regards,
    Nebu John

    Thread Starter mlchrt

    (@mlchrt)

    Hi there,
    this also effects text-inputs beside textareas. Can I just add another if clause like

    strpos( $key, 'text' ) !== false )

    to apply the plugin also on text flieds?
    Thanks!

    Plugin Support Nebu John – WPMU DEV Support

    (@wpmudevsupport14)

    Hi @mlchrt,

    Yeah, that should work, but by default, there’s no link coming in emails for the text field when I checked at my end.

    Can you please re-check and share a screenshot of the issue you noticed?

    Kind Regards,
    Nebu John

    Plugin Support Amin – WPMU DEV Support

    (@wpmudev-support2)

    Hello @mlchrt ,

    We haven’t heard from you for a while now, so it looks like you don’t have any more questions for us.

    Feel free to re-open this ticket if needed.

    Kind regards
    Kasia

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘HTML parsed in E-Mail’ is closed to new replies.