Encoding user input for emails
https://stackoverflow.com/questions/114148
-
02-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
On a website if I have a form where the user can input some text and then a page which displays what the user has entered, I know to html encode the values the user has entered to prevent scripting attacks. If the form was sending html emails I presume I would do the same but is there any special cases for emails and will email clients run the any script injected into the email?
Solution
You should definitely HTML encode before assigning posted content to the HTML body of an email. Your code should already be rejecting content such as '<script>' as invalid, not just in the case of an email but in all cases.
There are no other considerations you need to worry about.
OTHER TIPS
While it would still be a good idea to strip <script> tags from your document before sending it, I think that the threat is low. I believe that you would be hard pressed to find an email client (still receiving support) that does not strip scripts before rendering an email.
I believe that by marking the email body as text/plain would avoid javascript and/or html attacks (but I wouldn't trust outlook on following what the headers suggest).
You should use an SMTP library that takes any burden (and potential bugs) which are caused by duplicated or missing escaping. Then, use plaintext mails only (text/plain).
To avoid security problems with buggy mail clients, you could also send a nearly empty mail, and the text as attachment (file extension ".txt", content-type "text/plain").
I would highly suggest using an existing, tested solution for sending mails. If you're passing user input to, say, the PHP mail() function--even with HTML encoding--it's possible for an attacker to craft a "body" that actually contains the headers to create a multi-part message.
