I'm using Django Contact Form on a website to allow visitors to send emails.
Currently, it's escaping characters, so single and double quotation marks are converted to '
and "
respectively. The emails would be more readable if quotation marks were displayed as '
and "
.
I understand why I should never put unescaped input from visitors into my webpages, because of the risk of xss. Is there the same risk with emails, or is it ok to send the visitor's unescaped input?
There is no way to use an email address with an ampersand, e.. g. one&[email protected], for the Sender Email Address in an Email Campaign email message. Although some special characters are permitted in this field, the " & " symbol is not accepted.
However, the subject line of an email is not in HTML, XML, or XHTML. It's just pure text.
The message/RFC 822 content type is used to enclose a complete message within a message. It is different from other MIME body parts in that it must be a fully formed RFC 822 message, complete with headers.
If these are HTML emails, then you wouldn't mind the escaping, so I'm assuming these are plain-text? In which case you want to disable the quoting. You can wrap the body of your template in
{% autoescape off %}
...
{% endautoescape %}
to leave your characters alone.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With