Your point is rather vague. Are you using unfiltered, unescaped user input in an auto-responder email? Or on an LP?
I wrote about these concerns a scary number of years ago: https://blog.teknkl.com/tokens-as-hacker-weapons-1/
Currently, we are not escaping the user input in the field we use in the auto responder email. Can you tell me how that works?
It’s in my blog above. Also see https://nation.marketo.com/community/product_and_support/blog/2019/09/17/even-when-velocity-isn-t-do...