I am trying to create a PHP page for users to send emails to other users in HTML.
On my page (email.php) there is a textarea for user to input their message.
Since I send the email from my server I don't want the user to write malicious code/message content (html, links, php, bad words etc) that will result in my servers email IP getting banned as spam.
I know I can validate by using functions like str_replace() htmlentities() strip_tags() etc
How can I stop the user from entering tags, links etc in textarea so the email is clean when sent. Is there some function to just filter the whole message string if it matches an email body format or a way to convert the message string to just clear text so any malicious links/tags will just show to the user as a href='/link'>malicious link not 'malicous link' and instead of html tags running they just show as the tag itself?
Like gumtree for instance when you send email you get form with textarea for message
thanks for any suggestions
Could you clarify a bit?
From what you've described, strip_tags() then htmlentities() seems sufficient, unless I misunderstand what you are asking. Both functions are not for validation, but filtering.
strip_tags() removes PHP and HTML tags, and htmlentities() will ensure applicable characters are converted to their HTML entity equivalents.
I'd recommend a third-party library like HTML Purifier that uses a white-list approach.
You cannot stop users to insert html tags, not even with javascript. Since almost all browsers have development tools and any html element from any website can be altered after the page is loaded.
You can develop an javascript validation just for eye view, but php validation is a MUST since you cannot limit an user.
Even headers can be modified ... so you need those php filters, as you mentioned above.
Related
I created a php form that uses strip_tags to send mail to the client. The form is not connected to any database.
What are the potential risks of malicious use?
The function strip_tags is used to filter out tags that might otherwise render something on the screen.
So it prevents the use of images, iframes, tables, layout.
This is probably not what you want.
You can however add a second parameter to the function with a list of tags that are allowed so you can still keep the tags you need.
I don't think this is really handy if only you send the emails. If people using your website have the ability to send emails then it might be of help
I understand about mysql_real_escape_string and such, But what about when i am just sending an email?
So I have form, and a textbox, is there any vulnerabilities in just directly emailing the $_POST data to a user? I guess they wouldnt be able to execute any PHP.. or can they if they run it from a web address? I am not sure.
If it is being sent directly to an email then it will be fine. If it is being stored in a database to be displayed on an administrator page such as a helpdesk, etc. then it will need to be escaped for both html output and mysql. You can escape mysql using a number of functions:
If using PDO then use prepare statement :
http://php.net/manual/en/pdo.prepare.php
Otherwise I would use :
http://php.net/manual/en/mysqli.real-escape-string.php
That said because Emails can contain HTML, if you don't want to receive emails that people have put bogus HTML in such as <blink> (Which is really annoying) then you can use htmlspecialchars() : http://php.net/manual/en/function.htmlspecialchars.php
If you are worried about Javascript in emails then using htmlspecialchars() noted above will escape this also.
The problem is don't trust a user input. The biggest problem is, when you set the Email adress or BCC from your POST variable. That any email address can be set over the Request.
But its possible to send links or something else to user over your form. For this you should implement a captcha. That a bot cannot send your form with defined values to anyone.
A last solution is a hidden text field in your form. You can hide them with CSS. When the field is not empty you know that a bot has filled them.
But i think its good when you escape your POST vars with htmlspecialchars()
So there are a lot of possibilities to secure a form. You should use not only one of them and trust the user.
I have a PHP application that I use to build Emails. When the Email is sent, it is a multipart form with both an HTML part and a plain text part.
In order to create the plain text part, I use the PHP strip_tags function on the HTML version of the content, and display the result. Works just fine.
I now have a situation where I want to say something in the HTML part that I don't want to say in the plain text part. (It's instructions related to an embedded image of a QR code - and the QR code doesn't show in the plain text version of the Email.)
What I was thinking was - if I could somehow embed the instructions in an HTML tag, then the strip_tags function would strip it out.
However, I can't find any HTML tag that contains text that get's displayed, other than the VALUE string in an INPUT or SUBMIT tag, and I don't think creating an input field would work - there is more than a line of text.
I realize that by definition, HTML is supposed to be a "markup language" and therefore separate and independent from the content on the page. And so I am asking to do something that it really isn't designed to do, but thought I would put it out there to see if anyone happens to have a way to do this, or know that it definitely cannot be done.
Thanks............!!
Why don't you build your HTML content, then generate the plain-text version from it, and then after that is complete add the HTML specific content to the HTML content string?
Another option would be to put some HTML comments around the HTML-only content that you can easily use to strip out that section before you convert to plain-text.
What's a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that's not part of the mysql_function() family of functions.)
I take the data, sanitize it, print it back to the user and send it in an email to a preset address.
EDIT:
I'm just sending the email to our email address so we can send out a mailing to the address in the email.
Have you looked at the filter functions
e.g http://www.php.net/manual/en/function.filter-var.php
Since you're printing it back to the user, you need to escape any HTML content.
strip_tags()
and
html_special_chars() are quite useful in filtering the message content, especially if you're using html messages.
See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you're using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.
Sanitizing for an e-mail would be equivalent to sanitizing for HTML output. I see some suggestions on SO for HTML Purifier.
I have a user form with a textarea that allows users to submit html formatted data. The html itself is limited by PHP strip_tags, but of course that does no completion checking etc.
My basic problem is that should a user leave a tag unclosed, such as the <a> tag, then all the content following that, including page content that follows that is 'outside' the user content display area, could now be malformed.
Checking for proper tag completion is one solution I will look at, but ideally I'd like to firewall the user htmlified content away from the rest of the site somehow.
Use HTML Purifier. Very thorough and easy-to-use standalone plugin. It makes sure all markup is valid XHTML and also prevents XSS attacks.
I would recommend saving two copies of the user's HTML input in your database. One copy would be the raw form that they submitted which you can use for when they edit their page later, and the second would be that sanitized by HTML Purifier which you display on output. Storing the sanitized version is much faster than runing HTML Purifier on every page load.
The only way to achieve complete isolation would be to use an iframe.
The other solution would be to limit the html tags users could employ. Limiting users to paragraph and inline tags (string, em, a, etc.) would ensure that you could wrap all of the content in a div tag and not have to worry about open tags.
Just use some function for completing unclosed tags.
This can help you:
http://concepts.waetech.com/unclosed_tags/