I have a REST web service that accepts a bunch of fields. These fields are going have processing and eventually become part of an email.
When I am building up the email, the field called message.image will later become rc.image and it will be added to the HTML email via
...
var body &= "<p><img src='#EncodeForHTMLAttribute(rc.image)#' alt='#EncodeForHTMLAttribute(rc.image_name)#'></p>";
...
My concern is that this could be still be vulnerability