Thread:User talk:Skizzerz/Security guidance/reply (3)

The fix for that takes far less than 107 lines of code. The proper solution is to move your process form inside of the special page itself (you can POST to the same special page, you know, it doesn't have to go to a file external to mediawiki itself), and then use the builtin mediawiki utilities to send email, such as UserMailer::send and UserMailer::sanitizeHeaderValue. Again, give Coding conventions a good read and see how other similar special pages, like those in Extension:ContactPage, do it.