Julian Matz
asked on
How to Correctly Sanitize HTML Mail
Hi!
Was wondering how to correctly sanitize the body of a HTML mail before sending...
Plain-text is no problem, but not sure about HTML...
Thanks!
-Julian.
Was wondering how to correctly sanitize the body of a HTML mail before sending...
Plain-text is no problem, but not sure about HTML...
Thanks!
-Julian.
ASKER
Hi Roonaan,
I meant in regard to security... I was told never to use stripslashes() for example, but cannot think of an alternative...
I meant in regard to security... I was told never to use stripslashes() for example, but cannot think of an alternative...
You would need to use a regular expression first to strip out <style> and <script> blocks.
Then you can use stripslashes to pass out any tags you don't want anyhow, like <pre> or <font> etc.
You would then probably need to use a regular expression to parse out any unwanted attributes to elements you dó want to allow. Like for example onclick or other javascript events.
-r-
Then you can use stripslashes to pass out any tags you don't want anyhow, like <pre> or <font> etc.
You would then probably need to use a regular expression to parse out any unwanted attributes to elements you dó want to allow. Like for example onclick or other javascript events.
-r-
Well, you can simply include a single sanitizing script and call it easily. I use this in every script that has a form because it just works. Thanks to the OWASP project for creating this one.
read this post:
http://www.antionline.com/showthread.php?s=&threadid=264685
read this post:
http://www.antionline.com/showthread.php?s=&threadid=264685
Just use the HTML flag to filter the body of the email before sending it, something like this:
include('sanitize.inc.php' );
$Flags = HTML;
$sanitized_body = sanitize($unsanitized_emai l_body, $Flags);
include('sanitize.inc.php'
$Flags = HTML;
$sanitized_body = sanitize($unsanitized_emai
ASKER
Thanks!
Apart from maybe entering some malicious HTML or JavaScript, there's nothing anyone can do to manipulate the mail() function or anything server-side, is there? I mean the way it's possible with the subject header for example...
Apart from maybe entering some malicious HTML or JavaScript, there's nothing anyone can do to manipulate the mail() function or anything server-side, is there? I mean the way it's possible with the subject header for example...
For starters, you can add a Captcha, so someone has to type what a picture shows before submitting the form.
I would also record ip's that submit the form and disallow the ip's that submit 3 times or more. This could be easily implemented in your form with MySQL and PHP.
Here is just one article that shows how to make a captcha work.
http://codegrrl.com/!/scripts/view/nlphpmail/
I would also record ip's that submit the form and disallow the ip's that submit 3 times or more. This could be easily implemented in your form with MySQL and PHP.
Here is just one article that shows how to make a captcha work.
http://codegrrl.com/!/scripts/view/nlphpmail/
ASKER
ray-solomon, I know about Captchas, but it's not what I meant. Sorry if I wasn't clear...
Basically I'm wondering if there's anything (characters or commands) a user can add to the mail body through a text-area input field to manipulate the headers -- like it can be done with the subject line by adding new line characters or something (I think).
Basically I'm wondering if there's anything (characters or commands) a user can add to the mail body through a text-area input field to manipulate the headers -- like it can be done with the subject line by adding new line characters or something (I think).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need however make sure that:
- You use absolute paths with images and links
- use inline styles (style="") rather than stylesheets in the head(<style></style> or <link />)
Or isn't this what you mean?
-r-