On a website if I have a form where the user can input some text and then a page which displays what the user has entered, I know to html encode the values the user has entered to prevent scripting attacks. If the form was sending html emails I presume I would do the same but is there any special cases for emails and will email clients run the any script injected into the email?
A:
I believe that by marking the email body as text/plain would avoid javascript and/or html attacks (but I wouldn't trust outlook on following what the headers suggest).
ΤΖΩΤΖΙΟΥ
2008-09-22 10:28:45
A:
You should use an SMTP library that takes any burden (and potential bugs) which are caused by duplicated or missing escaping. Then, use plaintext mails only (text/plain).
To avoid security problems with buggy mail clients, you could also send a nearly empty mail, and the text as attachment (file extension ".txt", content-type "text/plain").
vog
2008-09-22 10:57:37
A:
While it would still be a good idea to strip <script> tags from your document before sending it, I think that the threat is low. I believe that you would be hard pressed to find an email client (still receiving support) that does not strip scripts before rendering an email.
Prestaul
2008-09-22 13:16:07
A:
You should definitely HTML encode before assigning posted content to the HTML body of an email. Your code should already be rejecting content such as '<script>' as invalid, not just in the case of an email but in all cases.
There are no other considerations you need to worry about.
AnthonyWJones
2008-09-22 14:09:14
A:
I would highly suggest using an existing, tested solution for sending mails. If you're passing user input to, say, the PHP mail() function--even with HTML encoding--it's possible for an attacker to craft a "body" that actually contains the headers to create a multi-part message.
Lucas Oman
2008-09-22 14:42:14