[nycphp-talk] More confused now then before by PHP security!
csnyder
chsnyder at gmail.com
Sun Jan 22 21:31:43 EST 2006
On 1/22/06, cliff <cliff at pinestream.com> wrote:
> While we are on the subject of escaping output, here's one that has me
> somewhat confused.
>
> Should I be escaping output for emails? And if so, with what?
>
> On the one hand, an email msg. could end up in a browser-based client. But
> on the other, it should be the responsibility of the email client program to
> escape output, whether it's browser-based or a client-side application --
> right?
You should be ensuring that user-submitted newlines can't creep into
your mail headers (or HTTP headers, for that matter), otherwise header
injection is possible.
I believe modern mail transport agents (and clients) can handle
anything nasty you send in the message body, but if you feel paranoid
you should make sure that email body content is ascii text with no
special characters like NULL "\x00" or EOT "\x04" lurking in it.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list