The print_mail module does not render node content through input filters before sending. This only seems to affect print_mail, not the main print module.

For example, I have a node that was entered using the "Filtered HTML" input format, which I have configured to use the URL filter, HTML filter, and Image Assist filter. I have both the "Printer-friendly" and "Send E-mail" links enabled on this node type. If I click the Printer-friendly link, the content is rendered correctly. If I click the Send E-mail link, the resulting e-mail uses the raw user input, rather than the filtered input (i.e. URLs are not links, disallowed HTML tags are not stripped, and [img_assist] tags appear as plain text instead of being replaced by the appropriate image).

I've categorized the issue as a bug report, but I think this is arguably a security issue... A user could potentially post a node with dangerous content (such as a JavaScript exploit) that would normally be stripped by the input filters when viewing the content on the web, but this content would be included in the text of the e-mail. It wouldn't compromise the security of the Drupal site itself, but it could be a threat to the e-mail recipient (maybe some sort of XSS attack?).

Comments

jcnventura’s picture

jcnventura CreditAttribution: jcnventura commented
Status: Active » Fixed

Hi,

I have detected this problem already a few weeks ago, and I fixed it on October 22nd. The fix is in all the devs since then.

I wasn't really worried as up to now, no one had detected it also, but I guess it's about time that I create the 4.1 version.. There's a few stuff I want to do before I do that though.

João

muriqui’s picture

muriqui CreditAttribution: muriqui commented

Can't use the dev version for my client, so I'll be anxiously awaiting 4.1. :) Thanks, João.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.