2014-09-01, 03:41:10
The plug-in works well, but it has a security problem: The admin email is exposed in a hidden input field in the page source:
It exposes the address of the admin account. This makes the plug-in not useful when privacy is needed. Since the contact form is posted back to the server, why not look up the admin address after the postback? It would make more sense. I do not know PHP code, or I would do it.
Code:
<input type="hidden" name="contact[q_email]" value="xxxxx@mydomain.com">
It exposes the address of the admin account. This makes the plug-in not useful when privacy is needed. Since the contact form is posted back to the server, why not look up the admin address after the postback? It would make more sense. I do not know PHP code, or I would do it.