Mail Helper Extension
For security, any Magic Data tokens inserted by a user in form responses to a the core form block are sanitized and stripped from the response.
- MAGIC_DATA_FORMS_OVERRIDE_MAIL_HELPER - defaults to true, set false to prevent the core mail helper from being overridden.
- MAGIC_DATA_FORMS_OVERRIDE_FORM_CONTROLLER - defaults to true, set false to prevent the core form block controller from being overridden.
In particular, if you are using any form addon other than the core form block that sends email, you must either:
- Disable the mail helper override (and so forgo the use of magic data in emails).
- Add sanitization to the form $_POST data, as demonstrated in the override of the core form block controller provided with this addon.
- Edit the mail helper override to comment unwanted lines of its processing. For example, if you only require Magic Data evaluation in the 'to' address, comment out all $mdeh->fill() lines other than that for the 'to' address. Even then, if an end user could enter a 'to' address, there is a potential for an insertion attack.
Method (2) above is strongly recommended as the best way to stay secure. Sanitize any user input that could contain Magic Data.
Such sanitization is already provided by this addon for the core forms block. If you are using the override for the core form block controller provided by this addon, you are safe that $_POST data from the form is already sanitized.
Last updated: over a year ago