Vulnerability in EPiServer.Forms
Our client wants to automatically add a "ReplyTo" address to all xforms submits.
What I can see, it is only possible to change "MailTo" and not add "ReplyTo".
Is this correct?
Yes, unfortunately. EPiServer "creates" sender directly just newing it up:
EMailConnection emailConnection = new EMailConnection();
which makes it impossible to fake it or wrap it. I would recommend to search for this issue in support ticket list. If there is none - then submit change request to EPiServer for at least hide `EMailConnection` class behind interface and let developers to override it.