Mail Helper Extension

Magic Data Forms provides a fully Magic Data enabled extension of the core mail helper. Any Magic Data tokens placed in the mail headers or content will be processed when mail is sent.

For security, any Magic Data tokens inserted by a user in form responses to a the core form block are sanitized and stripped from the response.

This behaviour is provided by overrides of the core form block controller and mail helper. If you do not require these overrides, they can be disabled by setting site constants.

  • MAGIC_DATA_FORMS_OVERRIDE_MAIL_HELPER - defaults to true, set false to prevent the core mail helper from being overridden.
  • MAGIC_DATA_FORMS_OVERRIDE_FORM_CONTROLLER - defaults to true, set false to prevent the core form block controller from being overridden. 

In particular, if you are using any form addon other than the core form block that sends email, you must either:

  1. Disable the mail helper override (and so forgo the use of magic data in emails).

  2. Add sanitization to the form $_POST data, as demonstrated in the override of the core form block controller provided with this addon. 

  3. Edit the mail helper override to comment unwanted lines of its processing. For example, if you only require Magic Data evaluation in the 'to' address, comment out all $mdeh->fill() lines other than that for the 'to' address. Even then, if an end user could enter a 'to' address, there is a potential for an insertion attack.

Method (2) above is strongly recommended as the best way to stay secure. Sanitize any user input that could contain Magic Data.

Such sanitization is already provided by this addon for the core forms block. If you are using the override for the core form block controller provided by this addon, you are safe that $_POST data from the form is already sanitized.


Last updated: over a year ago