Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Question is simple: should i use any type of sanitization when using PHPmailer class?
I made simple send mail form that use phpmailer class to send email. Curently i use only “htmlspecialchars” for sanitization (aldough i read that there is no need for this, but this information is not 100% reliable).
I tried to send some js code between tags, and i received it sanitized, but i am unsure if some oher type of attack can be done.
You are not required to sanitize anything before sending to phpMailer except checking if the email address entered is valid email address or not.
Data sanitization are for 2 reasons : SQL injection and XSS or CSRF (Xross Site Scripting or Cross site Request Forgery)
In either of cases, user has to see something as output based on their input.
However, it is good that you asked about sanitization for mail classes because, ideally no one will ask for it. HTML tags? Ofcourse you can send HTML tags! You can define content-type as
text/htmlWhat you need to sanitize?
Attachment type! Irrespective of mail-client exploit is always found in attachments. Allow only following mime-types:
image/jpeg’, ‘image/pjpeg’, ‘image/gif’, ‘image/png’, ‘application/msword’, ‘application/vnd.ms-office’, ‘application/vnd.openxmlformats-officedocument.wordprocessingml.document’, ‘application/vnd.openxmlformats-officedocument.wordprocessingml.template’, ‘application/vnd.openxmlformats-officedocument.spreadsheetml.sheet’, ‘application/vnd.openxmlformats-officedocument.presentationml.presentation’,’application/pdf’
Checking for Extentions of the file is NOT recommended! Because, the mail client might use functions like get_file_contents() which will just open the file in browser and if it is javascript embedded with an extension of JPEG, it will STILL execute! (in IE6/IE7 it did) however, that again is browsers job to have powerful parsing mechanism. Content-Sniffing
Make sure you have size limit.
Exploit may or may not be in the mail, mail client has to take care of it. However, as a mailer-end coder, these are 2 things which you should take care of.
Hope that helps 🙂