-
Bug
-
Resolution: Fixed
-
Neutral
-
2.3.2
-
None
-
-
Empty show more show less
-
Saigon 34
-
8
DefaultFormDataBinder uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded.
You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field.
I had to release, so i fixed this by overriding method sendMail in both SendContactEMailProcessor and SendConfirmationEMailProcessor with the following code.
if ("text".equals(contentType)) { for (final String key : parameters.keySet()) { final Object value = parameters.get(key); if (value instanceof String) { parameters.put(key, EscapeUtil.unescapeXss((String) value)); } } } super.sendMail(body, from, subject, to, contentType, parameters);
At least the code snippet could be put in AbstractEMailFormProcessor, unless there's a better way to do so.
Acceptance criteria