safe against xss?

digitalecartoon

I'm having my mailforms send as plain text mail without the use of htmlentities. As I mail reader I'm using either:
webmail (squirrelmail), which processes them with htmlentities itself anyway, so even if it is displayed as "plain text", it's actually shown as html but with html entities in the "source" so tags/scripts in the message are shown as their original characters without the danger of them being executed

or:
Thunderbird, which shows plain text always as plain text, not as html (that's true, isn't it?), so any tags/scripts aren't executed anyway.

Am I now protected enough against xss attacks?

MarkR

I'm not convinced that xss attacks are relevant to email at all.

XSS attacks are where someone can inject arbitrary code into your web site, for example, if you echo a $_GET parameter without escaping it. This could be used to inject client-side script (e.g. Javascript) into your site which could retrieve a user's credentials (e.g. cookies) if a trusted user was tricked into running it.

If you're sending a plain text email, HTML will not be interpreted at all. Most email clients also place strict restrictions on what HTML is interpreted in emails, if you send the message as HTML or mixed:
- Client side scripting is never allowed any more
- Plugins are usually not allowed (e.g. Flash, Java)
- Some tags may be deliberately ignored, e.g. meta refresh, iframes etc
- Some mail user agents will refuse to load external objects (e.g. images) in an email to protect against "microdot" or similar tracking techniques used by spammers and others to verify reading. Such clients typically provide a way for the user to explicitly load the images.

This usually means that you can't write much of a web application in an email, but that's ok, because it's not what users expect or typically want.

Mark

digitalecartoon

O, it's because i've read that besides filtering your headers with regexes (to pervent email injection), you also should apply htmlentities on your message text to prevent scripts from being inputed in the mailform?

MarkR

digitalecartoon wrote:
O, it's because i've read that besides filtering your headers with regexes

You should not filter your headers with regexs.

Write yourself a wrapper function for mail() which

If the subject or any other header contains a newline, throws an exception
Rejects other malformed junk as you see fit
Passes the body unchanged.

Your TEXT body is safe from any kind of injection, no processing is done whatsoever on plain text.

If you send HTML, then of course you should escape data with htmlspecialchars(), otherwise the output will be wrong. I'm not convinced this is a security risk, but it could otherwise screw up your html output.

you also should apply htmlentities on your message text to prevent scripts from being inputed in the mailform?

As I said above, I don't think there are any security problems with people putting scripts in an email, no sane email client will run them.

But it's a good idea to escape stuff anyway if it's in HTML, and not if it's not.

The main risk of PHP mail forms is header injections, which you've already got covered in your header scanning function.

If you see unexpected newlines in your headers (or subject), don't strip them, instead throw a big fat and loud exception so the developer can see there's a problem (obviously your exception handler won't show the message to the user, will it?)

Mark

digitalecartoon

MarkR wrote:
You should not filter your headers with regexs.

Write yourself a wrapper function for mail() which

If the subject or any other header contains a newline, throws an exception

Rejects other malformed junk as you see fit

Passes the body unchanged.

This is something new to me, a wrapper function, or throwing an exception. I've just started reading something about in on :
http://nl3.php.net/manual/en/language.exceptions.php

I'm new to this so I don't understand it right now, but how does this differ from what I'm doing now? I mean, I don't strip anything. I just check if the name has only letters, a hyphen or apostrophe with a regex. And if the email is in the right format with a regex. But I don't strip anything. Below is my complete mail script which processes the flash form input.

But doesn't such a wrapper function work the same? Checking if a name is a normal name, en email address is a valid one and if not echo an error message and exit the script? Or does it work differently?

My mailscript:

<?php
session_start();

/* Session variables are used so the php script can't be accessed directly */
/* Session variable is set on the html page displaying the form */
if(!isset($_SESSION["putyourpasswordhere"])){
echo "Dit script kan enkel via de bijbehorende website aangeroepen worden!";
exit;
} else {
session_destroy();
unset ($_SESSION["putyourpasswordhere"]);
}

/* Email settings, doing some basic filtering */
/* Used by Flash form so utf8 decode neccessary for allowing international (accented) characters */
/* Using stripslashes so names like O'Brien don't get converted to O/'Brien when posting */
$to = "mail@yourownemailaddress.nl";
$subject = "Request for information";
$naam = stripslashes(utf8_decode($_POST["naam"]));
$email = stripslashes(utf8_decode($_POST["email"]));
$bericht = stripslashes(utf8_decode($_POST["bericht"]));

/* To protect agains email injection, some regular expressions to validate inputed values */
/* Checking for a proper name, including accented characters, apostrophe, space and hyphen */
if (!preg_match('~^[a-zÀ-ÿ][\'a-zÀ-ÿ \-]*$~i', $naam)) {
$naam = "error";
/*echoes are used the send variables back to Flash again */
echo "&naam=error&";
} else {
echo "&naam=correct&";
}

/* Checking for properly formed email address*/
if (!preg_match('~^[a-z0-9][a-z0-9_.\-]*@([a-z0-9]+\.)*[a-z0-9][a-z0-9\-]+\.([a-z]{2,6})$~i', $email)) {
$email = "error";
echo "&email=error&";
} else {
echo "&email=correct&";
}

/* Has a message been filled in? */
if (!$bericht) {
$bericht = "error";
echo "&bericht=error&";
} else {
echo "&bericht=correct&";
}

/* Everything is ok and mail will be sent as plain text mail */
/* When sending as html text mail, the use of htmlentities on the message is advised */
/* That way the message part can't be used to input malicious scripts */
if ($naam != "error" && $email != "error" && $bericht != "error") {

$message = "Naam:\r\n".$naam."\r\n\r\n";
$message .= "Emailadres:\r\n".$email."\r\n\r\n";
$message .= "Bericht:\r\n".$bericht."\r\n";

$headers = "MIME-Version: 1.0\r\n";  

$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers .= "From: ".mb_encode_mimeheader($naam, "iso-8859-1", "Q")." <".$email.">\r\n";  

mail($to, $subject, $message, $headers);

}
?>

[/code]