tags:

views:

71

answers:

3

Sites like Facebook have the user's name in the subject line that sent you a message.

Because of this, what escaping would you do on user entered values in a message subject? Or would you just not allow anything other than a-z, 0-9, period, comma and single quotes?

+1  A: 

Escaping is needed if there are forbidden characters. The subject is terminated by a NL so this is the only (ASCII) character that shouldn't be put in the header.

See also rfc821

Gamecat
+1  A: 

It’s the same problem with contact forms.

If you look at an email header you get e.g. this:

Subject: user123 has sent you an invite
From: "User123" <[email protected]>

You have to make sure that user names do not resemble values of an email header. If it’s possible for a user to name himself “To: [email protected], [email protected], [email protected], [email protected]” you have to clean the input.

A search for “contact form spam” should show you what to do. You should at least remove all occurrences of "To:", "Subject:", "From:" etc.

Jakob Stoeck
+1  A: 

You need to be careful with email headers, 8 bit chars are a bit of a no-no. (mail servers will reject them).

The proper way to do it is to MIME encode your subject lines and make sure the ASCII char \n is not in the subject line (technically multi-line subjects are possible, but I'd imagine plenty of mail clients would have problems)

See http://en.wikipedia.org/wiki/MIME#Encoded-Word for more info.

Phil