htmlentities in the body section of email

Square1

Hi all:

I am using PHPmailer to send emails. If I have a variable in the body section (or any section for that matter) of the email code, is it necessary to apply htmlentities to it?

For example:



require_once( 'class.phpmailer.php' );
		try {
			$mail = new PHPMailer(true); //New instance, with exceptions enabled
			$body = "Welcome". htmlentities($FirstName)."";

		$mail->IsSMTP();                           // tell the class to use SMTP
		$mail->Port       = 25;                    // set the SMTP server port
		$mail->Host       = "mail.mysite.com"; // SMTP server
		$mail->From       = "info@mysite.com";
		$mail->FromName   = "mysite.com";

		$to = htmlentities($rEmailAddress);

		$mail->AddAddress($to);
		$mail->Subject  = htmlentities($FirstName)." is eligible for discounts";
		//$mail->AltBody    = "To view the message, please use an HTML compatible email viewer!"; // optional, comment out and test
		$mail->WordWrap   = 80; // set word wrap
		$mail->MsgHTML($body);
		$mail->IsHTML(true); // send as HTML

		$mail->Send();

		} catch (phpmailerException $e) {
			echo $e->errorMessage();
	}
//End email

Thank you!

bradgrafelman

Necessary for what purpose?

Square1

bradgrafelman;10996003 wrote:
Necessary for what purpose?

XSS

bradgrafelman

Well, considering that the body of an HTML-formatted e-mail is nothing more than an HTML document, then I would say the same answers apply here as were given in response to your other thread (where the topic of XSS was discussed ad nauseam, IIRC).

However, also note that outside of the body of the e-mail (in the headers, for example), it would of course make no sense to use htmlentities() (as you're currently doing) since you shouldn't be sanitizing data for display in an HTML document (and should instead be sanitizing it for other purposes, such as to prevent header injections, unless PHPMailer already does that for you).

Square1

bradgrafelman;10996005 wrote:
Well, considering that the body of an HTML-formatted e-mail is nothing more than an HTML document, then I would say the same answers apply here as were given in response to your other thread (where the topic of XSS was discussed ad nauseam, IIRC).

Thank you. Although you found the thread on XSS to be discussed ad nauseum, I found it very helpful. It was discussed just enough so I understood the concept. I am sure many others with less experience than you will find it beneficial as well..