Topic: | Email not properly escaped on user edit page |
Severity/Risk: | Minor |
Versions affected: | <1.9.6 |
Reported by: | Alan Trick |
Issue no.: | MDL-20295 |
Solution: | upgrade to latest weekly build or 1.9.6 |
Workaround: | disable email change confirmation (not recommended) |
Description:
Alan Trick discovered that the email change confirmation code does not escape the email addresses properly. This problem is marked as minor because the email address is validated and can not contain an arbitrary text.