Sanitize user inputs destined for email

2018-06-07 00:54:16

I am considering the xss sanitization of user-supplied inputs gathered from an Internet-facing ASP.NET MVC5 web site. Sanitizing such inputs when presenting them back in a browser is well-documented and catered for. However, I haven't found reputable guidelines for how best to handle sanitization in the context of constructing emails which contain said user-supplied values.

By default, I will be sending plain-text messages which suggests that I don't need to HTML-encode these values. However, I am concerned that modern mail clients will attempt to render anything which looks like HTML as HTML.

I could just HtmlEncode everything, but then we consider the input for "Company name" which can quite legitimately contain the "&" symbol and I'm not keen on sending a message that reads " Father &amp; Son Ltd. "

So, it is possible for XSS to exist in email, and has happened in the past, but it is considered a vulnerability in the email client, nothing to do with the sender. It pretty much only happens in a web-based email (like gmail) rather than something like Outlook. Email clients don't generally (and should not) run scripts from emails (desktop clients especially).

So I would say you don't really need to worry about this issue. It would be considered a vulnerability in the email client, and if such a vulnerability was known by an attacker, they wouldn't bother using your weird client, when they would be able to craft an email exactly how they'd like by sending it themselves.

I am only answering from a security standpoint, if your concern is about the client including styles/links/etc, that's a different issue. I would consider any email client trying to render a plaintext email as HTML is broken and not something you should worry about.

When you send an email, you can specify whether it's going to be a plain-text or an HTML email.

MailMessage mail = new MailMessage("you@yourcompany.com", "user@hotmail.com");
mail.IsBodyHtml = false;
...

This adds a header instructing the email client how to display the email content. Modern email clients will respect this setting.

So if you are sending a plain-text email, don't do anything to escape HTML values.

If you are sending an HTML email, you'll want to HTML-encode any user-provided values. This is not a security matter, so much as a matter of correctness: If your user inputs "Bruce Lee<Chuck Norris" , even if it's not maliciously, you don't want the rest of the email after that point to be interpreted as a giant HTML tag, making it effectively invisible to users.

If you do end up sending an HTML-bodied email, you won't want the overall template to be in plain-text. You may want to consider using a Razor template, which will give you better tooling support for constructing the HTML for the email, and cause model-based values to be HTML-encoded by default:

@model WelcomEmailModel

<p>Dear @Model.CompanyName,</p>

<p>...

链接地址: http://www.djcxy.com/p/21654.html

上一篇: 暴力破解在asp.net中进行安全登录

下一篇: 清理用于输入电子邮件的用户输入