As long as there's some constraint in what the devious or criminally minded can do with the HTML. The iframe and script tags once bedeviled Yahoo Groups home pages (and Messages archives) until Y!Groups implemented a whitelist of "safe" tags. But that was in simpler times, I don't know what they do now.2) The Invite Message box looks like a plain text entry box.Hmm. I'm a little surprised that the HTML wasn't escaped in the message
Yeah, I'm not sure. I don't ask to verify email addresses either. AHaving done it a few times on your site now I'm kind of with you on that. And I've always chuckled to myself as I paste a freshly generated password into both boxes on conventional sign-up forms - that doesn't really confirm anything so the purpose was lost.
On the other hand, my initial reaction tells me that your friend has a point. A Confirmation entry box is a familiar clue to the user that this is a place to register a new password. Right now the invite landing page says:
"Enter A Password For Your Groups.io Account".
The use of "A" instead of "The" is a pretty subtle clue. Perhaps it could say:
"Choose a new password to create your Groups.io account"
That's even more explicit than a Confirmation box. I'm being a little subtle too: I refer to "new password" here (and in join) to reinforce the idea that the user shouldn't re-use a password they're using elsewhere.
The other reason to have a Confirmation box is that the small bother now may avoid a larger inconvenience (or other cost) associated with correcting it later if you get it wrong. But I think your password reset mechanism (having now been through it too) is facile enough to eliminate this concern.