Page 1 of 1

Email Security

Posted: Tue Dec 19, 2006 11:50 pm
by aliasxneo
Hello all,

I'm currently looking into email security with PHP. I cannot seem to find too much on it, all I can find is about PHP sending emails and not actually securing incoming ones. I'm looking to know some common exploits that I need to look for and how to handle HTML. I know I shouldn't allow javascript tags (obviously) but simple XSS tactics can be done in almost any tag. Is there any premade classes out there that handle this kind of stuff? I just need overall suggestions for what I should be doing before displaying emails on my website.

Also, I would like to not take away complete functionality of HTML, basics tabs like formatting and tables I want to stay. Thanks in advanced.

Cheers,
- Josh

Posted: Wed Dec 20, 2006 12:53 am
by matthijs
One of our members wrote HTML Purifier, a filter library which might be of help.

Overall, your strategy should be based on a whitelist approach. For displaying anything on your website, the least you can do is use htmlentities()

Search for "escape output/html" on these forums and elsewhere and you'll find more info. For example on Chris Shiflet's site.

Posted: Wed Dec 20, 2006 3:49 pm
by Ambush Commander
HTML Purifier works well for emails (I know d1ttwq uses it in IRIS for this very purpose). You'll probably want to use $config->set('URI', 'DisableResources', true); This (using an HTML filtering library) is probably the only way to go if you want to keep the formatting.