PHP email contact form issue

nightwish

nightwish

nightwish

Associate
Joined
28 Jun 2004
Posts
963
Location
Sheffield
I'm building a PHP contact form and am using the htmlspecialchars() function to convert html characters into their literal equivalents to avoid XSS attacks.

OK, thats fine, but when I send the email (to my Yahoo account), the email is shown as just plain text, so < is printed in the email as &lt; which I don't want, since I still want the user to be able to use these characters in fields, but obviously only as literals, not as html.

So, a few questions,
1. Do I need to escape html chars at all if I am only sending a plain text email? Or only if the email will be rendered as an html email?

(I won't be printing any of the data in any page, so it is only the generated email that concerns me.)

2. Can I gaurentee that all email clients will only view the email as plain text instead of trying to render it as html? Or is there a way to force the email client to view the email as either text or html?

3. If someone could just clarify for me exactly when html characters should be escaped in form input that would be good.
I think only if,
i. the data will be printed in the site somewhere
ii. the data will be entered into a database
iii. the data will be formed into an html email
But *not* if the data will only be stored/viewed as plain text. Is this right?

Thanks in advance to anyone who can help me with this!
 
if you're sending in plain text, why not just strip_tags() ?

use PHP's PDO class as it automatically escapes database input, and PEAR's Mail and Mail_Mime extensions for email sending as they give you greater control over your email
 
strip_tags() looks like it'll do the job... thanks for that!

I still think it would be good if they could be left in, but rendered harmless (by converting html charcters to literals) so that you could easily identify when the form had been attacked. But I guess prevention is better than cure in any case!

Will look into PEAR, although I really only want to send very basic emails (atm anyway), so I don't think I need anything more advanced than mail().

I'm just trying to make the script as secure as I can make it before it goes public.
 
you can pass allowable tags to the second argument of strip_tags. Realistically, you will only want to rid script tags I should imagine, in which case, you could use a regex to do it.
 
Yeah, might be more flexible in the long run. Is there a list somewhere of all the tags that strip_tags() removes? Presumably every html tag but does it also get rid of javascript tags?

ps. Thanks for all the help!
 
yeah, it removes script tags. IME, it removes everything between <blah>, <blah /> and </blah> type tags.

Shame you can't specify which tags you want it to remove rather than which tags you want it to leave
 
You must log in or register to reply here.
Back
Top Bottom