The solution will be to trim the email addres before validating it.
Patch #6 has been reviewed by many people and is ready to be ported.
This generates a fatal error: "Invalid address" and results in only the first recipient in the list receiving the email.
The issue appears to be in the until after it tries to validate the email.
When the to address is a comma-delimited list of emails with spaces, input validation will fail with an error stating This bug also tripped me up.
I had comma separated recipients, with spaces between. By just removing the spaces between recipients, all recipients were included.
NOTE: Comment Box question types cannot be validated.
A message will appear stating that a confirmation email has been sent to your new sender address.
In my case, there were no spaces between the comma delimited emails (just commas).
Anyway, applied #6 (to 7.x-1.6), and now sending to multiple comma delimited recipients is working fine again.
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.