The announcement I am referring to was posted at: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
I have used code like this in many websites:
$mail = new PHPMailer(true);
$mail->SetFrom('info@mysite.com', 'My Site');
$mail->AddReplyTo( $contact_email, "$contact_name" );
$mail->Subject = $subject;
$mail->AltBody = $mail_text;
$mail->MsgHTML($mail_html);
$result = $mail->Send();
Am I safe from the vulnerability because my from address is hard-coded? Should I worry about the reply-to address, which comes from user input? I do validate it with filter_var, but if I understand correctly, a from address can pass validation and still inject code because spaces are technically allowed in email addresses.
