[nycphp-talk] Filtering input to be appended inside email
Daniel Convissor
danielc at analysisandsolutions.com
Tue Sep 13 10:58:31 EDT 2005
Hey Mikko:
On Tue, Sep 13, 2005 at 05:19:18PM +0300, Mikko Rantalainen wrote:
>
> That looks pretty simple but it doesn't allow even nearly all valid
> email addresses.
I know. Particularly internationl domain names. :)
> # header cannot contain CRLF
> # our implementation strips out CRs, make sure all LFs
> # are safe and reinserts CRs
> $value = preg_replace("@\r@","",trim($value));
> $value = preg_replace("@\n@","\n ",$value);
> $value = preg_replace("@\n@","\r\n",$value);
That can be done in one call (untested):
$value = preg_replace("/[\r\n]+/", "\r\n ", trim($value));
I see the point of this is putting a space at the beginning of the line so
the input doesn't get interpreted as a new header line. But in my
opinion, when user input is involved, allowing \r or \n isn't wise in the
first place.
> Body doesn't need to be handled unless you use HTML mail (shame on
> you), in which case all XSS issues are there waiting.
But some (many?) email clients are F'ing stupid.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list