Advisories for Nuget/Umbraco.Forms package

The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).

Character limits configured by editors for short and long answer fields are validated only client-side, not server-side.

Authenticated user that has access to edit Forms may inject unsafe code into Forms components.