using htmlentities but...

digitalecartoon

In my mailscript to have it send as plain text instead of html I'm using htmlentities() on the message variable. Not strip_tags which could in some case delete more of the message than it should.

But now I'm wondering: when I use htmlentities, characters like < > " ' and & get converted. E.g.

pVariable1<pVariable2

would show in my email message as

pVariable1<pVariable2

Which is ok mostly. That way , no hacker can abuse the mailform. But is it also possible to have it send as pVariable1<pVariable2, but in the mail message have it show as pVariable1<pVariable2 ?

NogDog

Well, you could send your email message as HTML text. See example 1106 on the mail() page

digitalecartoon

But what about email injection. If I use regexes for the name / email field and htmlentities for the message part. When I let it sent as html mail wouldn't that make ik more vulnerable for hackers again?

But in principle, in plain text messages it is not possible to use htmlentities (to bypass hackers html), have it send as plain text message and receive it with the html entities converted to it's characters again.

NogDog

Firstly, email header injections only occur in the headers, not in the message body. As far as any <script> tags sent in the message body, they will not be actual script tags; they will be "<script>" strings of text that will be displayed as "<script>" in the received message, but will not be treated as HTML tags.

digitalecartoon

So basically it isn't even necessary to use strip_tags() or htmlentities() in the message body if the headers are already set to plain_test?

NogDog

digitalecartoon wrote:
So basically it isn't even necessary to use strip_tags() or htmlentities() in the message body if the headers are already set to plain_test?

As far as email header injection attacks, that would be correct. However, if you are concerned about possible malicious scripts in the message body, or even just malformed HTML, then I'd recommend using strip_tags() and/or htmlentities on the message body text.

digitalecartoon

I guess that's what I want to avoid also, malicious scripts/malformed html in the message body. But I'd like to find a way to keep mails send to me as plain text mails, while not converting characters like & and < > to < etc.
Or isn't such a thing possible?

If it not possible with having sent the mail as plain text: you mentioned having it sent as html mail. But if I would then use htmlentities first and send it as html mail, would that convert everything to html again during sending and reform the malicious script?

And perhaps another thing I should mention: to protect my php script against hackers directly accessing the php file, I'm using a session variable check. Don't now much about "malicious scripts/malformed html" abuse, but would that be good against that? Of do these scripts also attack you by being input in the message body field?

digitalecartoon

Just turned my plain text header into html text header and after filtering tags with htmlentities, things like & < > etc. get converted into codes , but after sending them with mail() arrive as its original values in the message body test. As I wanted it to. But because they are sent with htmlentities values, this makes them save against scripts anyway?
If I select "show as plain text" mail in my webmail , I get the entity codes again so I guess the tags are not sent as tags with mail() and only show up as & < > characters in my mail body?

So, I guess I would use html text mail then.

To wrap this up: it's basically not possible to have html entity codes sent as plain text mail, showing it as plain text mail in my mail client, but showing entity codes as the characters like in html text mail?

digitalecartoon

Just did a simple text: using the webmail of my internet provider! Used René O'Janssen as my name and several & < > " ' characters in the message body text. Sent it to myself and received it as plain/text mail. But with all the characters intact, no htmlentity encoding.

Surely my internet profider would have protected its webmail forms against malicious scripts?

So my question remains: is it possible to format a plain/text mail, filter html tags from the message body text with htmlentities, have mail() send it as plain/text mail, receiving it as plain/text mail but with all characters intact?

Or would that only be possible with a much bigger script (like perhaps my provider would have done)?

digitalecartoon

I've tested it with several options.

I've made an input field and tested it entering the following line:
rene<janssen>sman

This is the code I use to both send it to an email addres and displaying the resulting code:

<?php
$to = "mail@myemail.com";
$subject = "Sending a test mail";
$mijnnaam = ($_POST["tekst"]);

$message = "1. ".$mijnnaam."\r\n";
$message .= "2. ".htmlentities($mijnnaam)."\r\n";
$message .= "3. ".strip_tags($mijnnaam)."\r\n";
$message .= "4. ".htmlentities( strip_tags($mijnnaam))."\r\n";
$message .= "5. ". html_entity_decode (htmlentities($mijnnaam));

$headers = "MIME-Version: 1.0\r\n";

$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";

mail($to, $subject, $message, $headers);
echo $message;
?>

What I get in my mail is this:

rene<janssen>sman
rene<janssen>sman
renesman
renesman
rene<janssen>sman

What is displayed in a browser window so I can see the html is this:
1. Rene<Janssen>Sman
2. Rene<Janssen>Sman
3. ReneSman
4. ReneSman
5. Rene<Janssen>Sman

To make my php script secure against attacking scripts is to input:
Rene<Janssen>Sman
having the inputted line filtered from html tags which could form such a script, e.g. with htmlentities so that it becomes:
Rene<Janssen>Sman
arriving as a plain/test email as:
Rene<Janssen>Sman
(so no html tags are present)
but displaying in the message part of the plain/text email as:
Rene<Janssen>Sman

Is such a thing possible? I did send myself an html mail. When I looked in my webmail and went for "show mail as plain text mail", it did show the line without those codes and surely my email provider has protected emailing against bad scripts somehow? Or am I thinking wrong?

digitalecartoon

NogDog wrote:
Originally Posted by digitalecartoon
So basically it isn't even necessary to use strip_tags() or htmlentities() in the message body if the headers are already set to plain_test?

As far as email header injection attacks, that would be correct. However, if you are concerned about possible malicious scripts in the message body, or even just malformed HTML, then I'd recommend using strip_tags() and/or htmlentities on the message body text.

Someone told me that as long as I properly close the header line and add an extra empty line to seperate it from the message text, such malicious scripts wouldn't work? Is that true?

That would save me the trouble of using htmlentities which would convert some characters to html entity in the output which I want to avoid.

Everything else (From🙂 I've got checked through regular expressions, wouldn't even have to use htmlentities on them.

So it's true that bad scripts aren't in danger of being executed as long as I close my headers properly with an added empty line?