cubicweb #2522526 The ErrorView can be hacked to send spam [done]
The content of the message sent by email when hitting the "Submit" button in the ErrorView generated page, the sent content is included in the HTML page in a hidden textarea. It's thus easy to forge an email sent by the CW server with arbitrary content.
However, this is not a critical security issue since the recipients of the email cannot be forged.
A possible solution to this issue is to digitally sign the content of the hidden textarea.
|closed by||#797fc2e2fb78 [web] add a digital signature to error form (closes #2522526)|