views:

159

answers:

5

On a website if I have a form where the user can input some text and then a page which displays what the user has entered, I know to html encode the values the user has entered to prevent scripting attacks. If the form was sending html emails I presume I would do the same but is there any special cases for emails and will email clients run the any script injected into the email?

A: 

I believe that by marking the email body as text/plain would avoid javascript and/or html attacks (but I wouldn't trust outlook on following what the headers suggest).

ΤΖΩΤΖΙΟΥ
A: 

You should use an SMTP library that takes any burden (and potential bugs) which are caused by duplicated or missing escaping. Then, use plaintext mails only (text/plain).

To avoid security problems with buggy mail clients, you could also send a nearly empty mail, and the text as attachment (file extension ".txt", content-type "text/plain").

vog
A: 

While it would still be a good idea to strip <script> tags from your document before sending it, I think that the threat is low. I believe that you would be hard pressed to find an email client (still receiving support) that does not strip scripts before rendering an email.

Prestaul
A: 

You should definitely HTML encode before assigning posted content to the HTML body of an email. Your code should already be rejecting content such as '<script>' as invalid, not just in the case of an email but in all cases.

There are no other considerations you need to worry about.

AnthonyWJones
A: 

I would highly suggest using an existing, tested solution for sending mails. If you're passing user input to, say, the PHP mail() function--even with HTML encoding--it's possible for an attacker to craft a "body" that actually contains the headers to create a multi-part message.

Lucas Oman