PHPMailer sanitization

Question

Question is simple: should i use any type of sanitization when using PHPmailer class?

I made simple send mail form that use phpmailer class to send email. Curently i use only "htmlspecialchars" for sanitization (aldough i read that there is no need for this, but this information is not 100% reliable).

I tried to send some js code between tags, and i received it sanitized, but i am unsure if some oher type of attack can be done.

Answer 1

You are not required to sanitize anything before sending to phpMailer except checking if the email address entered is valid email address or not.

Data sanitization are for 2 reasons : SQL injection and XSS or CSRF (Xross Site Scripting or Cross site Request Forgery) In either of cases, user has to see something as output based on their input.

However, it is good that you asked about sanitization for mail classes because, ideally no one will ask for it. HTML tags? Ofcourse you can send HTML tags! You can define content-type as text/html

What you need to sanitize?

1. Attachment type! Irrespective of mail-client exploit is always found in attachments. Allow only following mime-types:

   image/jpeg', 'image/pjpeg', 'image/gif', 'image/png', 'application/msword', 'application/vnd.ms-office', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.wordprocessingml.template', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.openxmlformats-officedocument.presentationml.presentation','application/pdf'

Checking for Extentions of the file is NOT recommended! Because, the mail client might use functions like get_file_contents() which will just open the file in browser and if it is javascript embedded with an extension of JPEG, it will STILL execute! (in IE6/IE7 it did) however, that again is browsers job to have powerful parsing mechanism. Content-Sniffing

1. Size of attachments

Make sure you have size limit.

Exploit may or may not be in the mail, mail client has to take care of it. However, as a mailer-end coder, these are 2 things which you should take care of.

Hope that helps :)

Answer 2

I personally don't trust any input so I sanitize everything. One thing for instance to note is that you might be using htmlspecialchars but what happens if someone uses non English characters? You will need to use the UTF-8 as a parameter to define the charset.

This simple omission (and by no means do I say that you did omit it) can cause XSS attacks.

My vote goes for HTMLPurifier. It is a very well known and secure library that will allow you to sanitize input to a much higher degree than htmlspecialchars does.

/0.02