Solved

How to Correctly Sanitize HTML Mail

Posted on 2006-06-22
9
578 Views
Last Modified: 2012-05-05
Hi!

Was wondering how to correctly sanitize the body of a HTML mail before sending...
Plain-text is no problem, but not sure about HTML...

Thanks!
-Julian.
0
Comment
Question by:Julian Matz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 16964168
Html email is just like a plain old html page you would load from the internet.

You need however make sure that:
- You use absolute paths with images and links
- use inline styles (style="") rather than stylesheets in the head(<style></style> or <link />)

Or isn't this what you mean?

-r-
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 16964191
Hi Roonaan,

I meant in regard to security... I was told never to use stripslashes() for example, but cannot think of an alternative...
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 16964211
You would need to use a regular expression first to strip out <style> and <script> blocks.

Then you can use stripslashes to pass out any tags you don't want anyhow, like <pre> or <font> etc.

You would then probably need to use a regular expression to parse out any unwanted attributes to elements you dó want to allow. Like for example onclick or other javascript events.

-r-
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 10

Expert Comment

by:ray-solomon
ID: 16974280
Well, you can simply include a single sanitizing script and call it easily. I use this in every script that has a form because it just works. Thanks to the OWASP project for creating this one.

read this post:
http://www.antionline.com/showthread.php?s=&threadid=264685
0
 
LVL 10

Expert Comment

by:ray-solomon
ID: 16974289
Just use the HTML flag to filter the body of the email before sending it, something like this:

include('sanitize.inc.php');

$Flags = HTML;

$sanitized_body = sanitize($unsanitized_email_body, $Flags);
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 17028978
Thanks!

Apart from maybe entering some malicious HTML or JavaScript, there's nothing anyone can do to manipulate the mail() function or anything server-side, is there? I mean the way it's possible with the subject header for example...
0
 
LVL 10

Expert Comment

by:ray-solomon
ID: 17029148
For starters, you can add a Captcha, so someone has to type what a picture shows before submitting the form.

I would also record ip's that submit the form and disallow the ip's that submit 3 times or more. This could be easily implemented in your form with MySQL and PHP.

Here is just one article that shows how to make a captcha work.
http://codegrrl.com/!/scripts/view/nlphpmail/

0
 
LVL 21

Author Comment

by:Julian Matz
ID: 17161402
ray-solomon, I know about Captchas, but it's not what I meant. Sorry if I wasn't clear...
Basically I'm wondering if there's anything (characters or commands) a user can add to the mail body through a text-area input field to manipulate the headers -- like it can be done with the subject line by adding new line characters or something (I think).
0
 
LVL 10

Accepted Solution

by:
ray-solomon earned 500 total points
ID: 17161832
It depends on how poorly the php script is created. If a script uses global variables to pass information to the mail function without sanitizing and verifying the variables before the mail function processes it, then yes, it can be used to spoof email headers and spam anyone.

For example:

Anyone can easily change the value of any of these variables if the variable name or input box name is known by passing the proper vaiables to the script.

mail($to, $subject, $message, $headers);

I found a website that can explain this better:
http://www.securephpwiki.com/index.php/Email_Injection

Server commands can be executed through the mail function along to shell vulnerabilities or manipulate the headers being sent to the sendmail server. Here is an old proof of concept that used to work. Of course, this does not work anymore, but that isn't to say it is completely safe to use this function.
http://marc.theaimsgroup.com/?l=bugtraq&m=103011916928204

Hopefully you will learn that you can never trust input from anyone. Everything should be filtered and verified. If you take a look at other email services like msn, yahoo, excite..., there is a lot of verification that the user has to go through when signing up these days. I would suggest reading this website for more question on php and security: http://www.securephpwiki.com/index.php/Main_Page
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Php logic to add to date card 9 39
php error 27 58
scan php uploads for viruses 5 26
P3P validator , ASP, PHP ,Https and Http links 3 12
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question