Do I need to escape characters when sending emails?
https://stackoverflow.com/questions/1412417
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using Django Contact Form on a website to allow visitors to send emails.
Currently, it's escaping characters, so single and double quotation marks are converted to ' and " respectively. The emails would be more readable if quotation marks were displayed as ' and ".
I understand why I should never put unescaped input from visitors into my webpages, because of the risk of xss. Is there the same risk with emails, or is it ok to send the visitor's unescaped input?
Solution
If these are HTML emails, then you wouldn't mind the escaping, so I'm assuming these are plain-text? In which case you want to disable the quoting. You can wrap the body of your template in
{% autoescape off %}
...
{% endautoescape %}
to leave your characters alone.
OTHER TIPS
I'd still encode them to be safe. Since most email clients allow images, nothing to stop someone using an img tag in an email to say... get someone's IP address.
