views:

94

answers:

2

I'm using Django Contact Form on a website to allow visitors to send emails.

Currently, it's escaping characters, so single and double quotation marks are converted to ' and " respectively. The emails would be more readable if quotation marks were displayed as ' and ".

I understand why I should never put unescaped input from visitors into my webpages, because of the risk of xss. Is there the same risk with emails, or is it ok to send the visitor's unescaped input?

A: 

I'd still encode them to be safe. Since most email clients allow images, nothing to stop someone using an img tag in an email to say... get someone's IP address.

Macha
HTML tags like images are still only effective when you deliberately include MIME headers to say the mail is HTML. Luckily, unlike with IE, mailers do not do content-sniffing.
bobince
+2  A: 

If these are HTML emails, then you wouldn't mind the escaping, so I'm assuming these are plain-text? In which case you want to disable the quoting. You can wrap the body of your template in

{% autoescape off %}
...
{% endautoescape %}

to leave your characters alone.

Ned Batchelder
Yes, they are plain text emails. I think I was being overly paranoid, worrying that an email reader would parse plain text as html.
Alasdair
No need to be paranoid, as your email will be in the plain text format, so clients "should" interpret it as plain text, and not notice tags.
Humphrey