Submitted by Anonymous (not verified) on
Section
11.1.6
Top Level
Accessing External Services (Web Services, Directories, Databases, OS)
Sub Level
11.1 Specifics
General
Only allow e-mail from authenticated users, and use the least user input possible in creating an e-mail message. Don't allow the destination address to be directly specified by external input (e.g., no hidden fields with e-mail destinations).
Natural Webagent
This does not apply to webAgent. When sending emails in Natural, never use user input for the TO address.