tags:

views:

94

answers:

2
+2  Q: 

Do I need to escape characters when sending emails?

I'm using Django Contact Form on a website to allow visitors to send emails.

Currently, it's escaping characters, so single and double quotation marks are converted to ' and " respectively. The emails would be more readable if quotation marks were displayed as ' and ".

I understand why I should never put unescaped input from visitors into my webpages, because of the risk of xss. Is there the same risk with emails, or is it ok to send the visitor's unescaped input?

A: 

I'd still encode them to be safe. Since most email clients allow images, nothing to stop someone using an img tag in an email to say... get someone's IP address.

Macha  2009-09-11 18:05:39
HTML tags like images are still only effective when you deliberately include MIME headers to say the mail is HTML. Luckily, unlike with IE, mailers do not do content-sniffing.
bobince  2009-09-11 21:41:40
+2  A: 

If these are HTML emails, then you wouldn't mind the escaping, so I'm assuming these are plain-text? In which case you want to disable the quoting. You can wrap the body of your template in 

{% autoescape off %}
...
{% endautoescape %}

to leave your characters alone.

Ned Batchelder  2009-09-11 18:21:59
Yes, they are plain text emails. I think I was being overly paranoid, worrying that an email reader would parse plain text as html.
Alasdair  2009-09-11 18:42:10
No need to be paranoid, as your email will be in the plain text format, so clients "should" interpret it as plain text, and not notice tags.
Humphrey  2009-11-30 22:55:25

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security