I'm trying to make my mail form secure so no malicious script can be inserted into the message text. At first I thought about using htmlentities filtering, but that would turn characters like & < and > into their html entity equivalent in the arriving message body text when set to text/plain.
I could let it send as text/html, but that would turn everything back into the bad script, making it insecure again.
I want to have text sent filtered from dangerious html tags, as a text/plain mail, but when receiving it as text/plain mail displaying as there original characters again. How can I do that?
I no it can be done because when I sent myself a html mail with this line:
<script>for(var i = 0; i < 2; i++) { alert("Hi!"); }</script>
I receive it as html mail like that (without it executing the script) and when I switch the display to plain text I get the same line without any html entity codes. So somehow the html tags in this line are not seen as html tags, both when displaying as text/html as text/plain.
