Email Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
aliasxneo
Forum Contributor
Posts: 136
Joined: Thu Aug 31, 2006 12:01 am

Email Security

Post by aliasxneo »

Hello all,

I'm currently looking into email security with PHP. I cannot seem to find too much on it, all I can find is about PHP sending emails and not actually securing incoming ones. I'm looking to know some common exploits that I need to look for and how to handle HTML. I know I shouldn't allow javascript tags (obviously) but simple XSS tactics can be done in almost any tag. Is there any premade classes out there that handle this kind of stuff? I just need overall suggestions for what I should be doing before displaying emails on my website.

Also, I would like to not take away complete functionality of HTML, basics tabs like formatting and tables I want to stay. Thanks in advanced.

Cheers,
- Josh
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

One of our members wrote HTML Purifier, a filter library which might be of help.

Overall, your strategy should be based on a whitelist approach. For displaying anything on your website, the least you can do is use htmlentities()

Search for "escape output/html" on these forums and elsewhere and you'll find more info. For example on Chris Shiflet's site.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

HTML Purifier works well for emails (I know d1ttwq uses it in IRIS for this very purpose). You'll probably want to use $config->set('URI', 'DisableResources', true); This (using an HTML filtering library) is probably the only way to go if you want to keep the formatting.
Post Reply