Does PHP's FILTER_VALIDATE_EMAIL provide adequate security?

Question

I have a page where I want to accept an email address in the GET parameters. If I use FILTER_VALIDATE_EMAIL, am I still vulnerable to xss and javascript injection attacks, and the like?

I'm not asking if it's a good, or good enough, validator of email addresses. I want to know if one can still inject bad web code through arbitrary strings passed through it -- do I need to do additional filtering to prevent that?

Answer 1

That should be good enough, but naturally you should still escape it when entering it into a database, etc. You never know what kind of bug may exist in PHP or Apache, etc, that may allow an attack to happen anyway.

Answer 2

Yes, a valid email address can easily be used as the container for some carefully crafted strings that can be used to attack you.

Get out of the "filtering" mindset and get into the "escaping" mindset. A universal "make it safe" filter simply doesn't exist. It cannot exist, because all escaping must be done in a context-specific manner.

For example, if the email address will be output to a plain text document, then nothing is needed to be done. If it's being output into an html document, as a text node, then it needs to be escaped for an html context, so escape html special characters and entities. If it's being put into an html document, and it's value will be inside of an html attribute, then very very careful escaping would need to be performed, and it would depend on which html attribute. If it's being used in an sql query, then it needs to be escaped via a database specific escaping function, and even then you must escape differently if you're using it as a parameter value (i.e., where someColumn = '$paramVal'), vs a symbol name like a table name, a column name (i.e., order by $myEscapedColumnName DESC). and so on.

It's all about context of use, not content of the string. This goes for everything (not just emails or other user input), and it's not just a matter of security, but it's a matter of programming and syntax correctness. Proper escaping is complicated, and takes a lot of time to learn, and careful thought and consideration when you code. Many coders don't bother doing it due to the effort, and they are the ones who cause the company to get hacked.

fyi, the email address spec allows quoted strings, so something you could inject strings like "<script>alert('xss')</script>"@example.com. The possibilities are obvious.