Error message and the input field for the email address displays the original input [#2745847]

Problem/Motivation

Using the email field in a contact form, the HP Fortify on Demand security scanning process reports a reflected XSS vulnerability critical issue.

Steps to reproduce

enter an invalid email address such as

1707+Interdimensional+Street<iMg SrC=xSrFtEsT.sPi>

The form is validated and re-displayed but the error message displays the original input and the input field for the email address re-displays the input.

The code and the response and both values have been through check_plain and had <> and the like converted to html entities.

Proposed resolution

Work around (hack to email.module)

Change the error message to say 'Email field is invalid'

Modify the value of the entered email address passed back to the form so that it has no invalid characters in it.

In modules/email/email.module....

/**
 * Implements hook_field_widget_form().
 */
function email_field_widget_form(&$form, &$form_state, $field, $instance, $langcode, $items, $delta, $base) {
  $element = $base;
  $element['email'] = $base + array(
    '#type' => 'textfield',
    '#default_value' => isset($items[$delta]['email']) ? $items[$delta]['email'] : NULL,
    '#size' => $instance['widget']['settings']['size'],
    '#prefix' => '<div class="text-full-wrapper">',
    '#suffix' => '</div>',
    '#element_validate' => array('_email_field_xss_validate'),    // Added this
  );
  return $element;
}

/**
 * Custom validation for email field                               -- and this
 * Make sure no invalid character in the email
*/

function _email_field_xss_validate(&$element, &$form_state) {

  $field = $element['#field_name'];
  $value = $element['#value'];

  if (!filter_var($value, FILTER_VALIDATE_EMAIL)) {
    $element['#value'] = filter_var($value, FILTER_SANITIZE_EMAIL);
  }

}