Vulnerability in EPiServer.Forms
We've been troubleshooting a really odd thing around "mailto:"-links.
Looks like it triggers with some combination of host names where the root domain (or name used after the @ in e-mails) is one of the names.
To verify, create new Alloy (I get 12.23)
Start and add a host name in Settings => Manage Websites => Edit Website => Host Names, use:test.se Redirected (permanent)
Go to a XhtmlString property in Edit Mode and add a link, select E-mail and add email@example.com
At this time if you inspect value using View Source in TinyMCE or browser tools you can see that the value is: href="mailto:firstname.lastname@example.org"
Publish and the href value gets changed to href="/EPiServer/CMS/Content/en/,,5/?epieditmode=false" - the start page... And in the template link gets rewritten to https://localhost:5000/en/
Something goes wrong and "mailto:" is somehow ignored and startpage gets picked up instead.
Adding a support case but also posts here in case someone is faster and for visibility...
This is a known bug https://world.optimizely.com/support/Bug-list/bug/CMS-30439, and a fix will be released next week.