Submit your Product Ideas to the Click Product Management Team below.
These will be reviewed for consideration in a future product release. It is not intended to provide Product Support. If you are having a product issue, please follow regular support procedures.
Thank you for taking the time to submit your thoughts!
Ensuring that our products address the needs of our customers is important to Click. By providing your input, you're helping us ensure that our products are built by Marketers, for Marketers.
Information about the Product Ideas portal can be found in this support article.
To submit ideas related to Click Intelligent Dashboards please go to this link.
Currently, Freemarker seems to be set up in such a way that HTML that's inserted via interpolations is not auto-escaped. This poses a security risk, as it allows a malicious person to inject HTML in your emails. Freemarker has a feature to auto-escape HTML, which I think should be enabled by default: https://freemarker.apache.org/docs/dgui_misc_autoescaping.html. Manual escaping is deprecated and is not something I'd want to burden other users with: https://freemarker.apache.org/docs/ref_directive_escape.html.
Why is this important?
Let's say you have a campaign that sends an email after someone signs up for a newsletter. To sign up for this newsletter, you have a form that asks for a first name and an email address. You email starts with:
Dear ${Recipient.contact.firstname[0]!""},
Welcome to our beautiful company ......
A malicious person could sign someone else up for your newsletter and enter the following as the first name:
recipient, <br><br><i>If you haven't signed up for this newsletter, <a href="https://maliciouslink.com">unsubscribe here</a>.<br><br>
Since the first name is injected into the email as is, this would result in something like:
Dear recipient,
If you haven't signed up for this newsletter,
unsubscribe here
.
,Welcome to our beautiful company ........
Of course, this person hasn't signed up for this newsletter and they might click on the malicious link. The sender is reputable, so it doesn't scream phishing attempt.
Now, you could make a case that CRM (or any other external system providing this user input) should either sanitize or escape first names, but this has (at least) two issues:
CRM is not (and should not) be concerned with how you're going to use the first name. It should accept the name as provided by the user. You might use it in very different ways, so a single way of sanitizing or escaping is not going to work.
You shouldn't make assumptions about people's names, especially if you operate in an international environment (I like to refer to this article which gets the point across pretty well: https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/)
Besides this, the first name is just an example. The issues concerns any CRM field which may contain user input in some way which may be used in an email.
In the end, escaping should happen in the email template, which is where you're sure what exactly has to happen with the input. Therefore, I believe this should be enabled by default (also so the user doesn't have to be concerned with it), which is a something that has to be implemented by ClickDimensions, as far as I'm aware. If someone wants to actaully inject HTML into their emails, they can disable auto-escaping in certain parts of the email.