Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do I need to sanitize user-inputted data, before sending it in an email

I have a form in which I accept name, email and message from a user. I do the validation for name, email and message and just send it using the mail() function.

If I was inputting the $name, $email and $message in a database, I would escape this data for SQL injection; or, if I was echoing it out on a webpage, I would use htmlspecialchars().

What should I do when I am sending this data in a email? I know I don't have to worry about SQL injection, but what about XSS? Should I use htmlspecialchars() on these three variables too?

I send the mail like this:

mail('[email protected]', 'Contact From: '. $name, "$message", 'From: '. $email);

I have read about email injection, but I can't understand it.

Please let me know about this.

like image 968
user2471133 Avatar asked Jun 14 '13 18:06

user2471133


People also ask

Why is it important to sanitize input data before processing it?

Benefits of input sanitizationProviding a perimeter defense against common cyberattacks. Preventing some forms of remote file inclusion and injection attacks (Code injection, SQLi, and XSS) Protecting the system from malicious code intrusions. Keeping the integrity of the web server, database, and other digital assets.

What does it mean to sanitize user input?

Sanitization may include the elimination of unwanted characters from the input by means of removing, replacing, encoding, or escaping the characters. Sanitization may occur following input (input sanitization) or before the data is passed across a trust boundary (output sanitization).

What is email sanitizer?

The HTML Sanitizer scans and removes scripting code within the email body and attachments.It scans: the email body of emails that have the MIME type set to “text/html” all attachments of type .


1 Answers

The escaping entirely depends on the context the data is embedded into.

Are you sending HTML mails? Then you have HTML context, and htmlspecialchars() must be used.

If you are sending plain text mails, there is no escaping for plain text.

The only threat would be that your mail client has some bug that interprets the plain text as something executable and then acts up when you get some strange names and mail adresses.

But this only applies to the mail's content, not the actual headers.

You are using a custom mail header From. Do not use this. From is used in spam filters. If I would enter my mail address, and you are sending this mail with From: my@mail, you are impersonating my own email server. Spam used to use this to hide the real source, and to redirect complaints and error feedback to the unhappy guy behind that mail address. Because of this today there are mechanisms that will prevent such abuse. So just do not pretend I am sending this mail - YOU do.

If you want to be able to answer me with a click on the reply button, use the Reply-to header, but always use From: [email protected].

Additionally, these custom headers are the entry point for bad things. Make sure you are only adding mail addresses. Make sure you do not add any line feed characters. These would make the mailserver think that there is a new header coming up, and this might lead to mail header injection.

like image 167
Sven Avatar answered Sep 30 '22 05:09

Sven