Question
I have a form that I validate that data with, and what I'm wondering is, do I need to sanitize the data JUST to send an email? The email will be sent to a predefined email address. Basically the form just ask for a name, email (of the person using the form), and a url.
Then this gets sent to the predefined email address. IS something like this safe enough to use? Is it vulnerable to use a simple ASP page like this:
https://stackoverflow.com/questions/21318907
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<%
dim objMessage
dim FullName
FullName=Request.QueryString("name")
dim email
email=Request.QueryString("email")
dim videourl
videourl=Request.QueryString("video")
dim txtMessage
txtMessage="<b><br><br>Name: " & FullName & "<br>Email: " & email & "<br><br>Video URL: " & videourl
objMessage = CreateObject("CDO.Message")
objMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "localhost"
objMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
objMessage.Subject = "qContest Submission"
objMessage.From = email
objMessage.To = "predefined@email.org"
objMessage.HTMLBody = txtMessage
objMessage.Send
%>
NOTE: This is NOT using any database or anything like that...
Also this script is being called via AJAX, if that matters...
Solution
always use Server.HTMLEncode when showig user-posted data in HTML. In this case you put it in the HTMLBody of the email, so I would definitely HTMLEncode:
FullName = Server.HTMLEncode(Request.QueryString("name"))
etc. This avoids the possibility to post vulnerable things like Javascript as that could be executed when opening the email.
