HTML entities in email

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
gr8dane
Forum Newbie
Posts: 19
Joined: Wed Aug 22, 2007 3:12 am

HTML entities in email

Post by gr8dane »

I'm using values entered in a form to send an email using the mail() function. When the form is posted, I apply the htmlspecialchars() function to the values. The problem comes when I send the email: The HTML entities don't get translated in the email. I've considered decoding the values before I use them in the email, but wouldn't that open me up to the security problems the encoding was meant to avoid?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: HTML entities in email

Post by Chris Corbyn »

Are you sending the email in plain text or HTML format? You need a Content-Type header in your email.
gr8dane
Forum Newbie
Posts: 19
Joined: Wed Aug 22, 2007 3:12 am

Re: HTML entities in email

Post by gr8dane »

Plain text.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: HTML entities in email

Post by Chris Corbyn »

gr8dane wrote:Plain text.
So what do you expect to happen when you send HTML in plain text?

EDIT | Security issues would be eliminated if you specify the correct charset in your content-type header.
kb0000
Forum Newbie
Posts: 4
Joined: Thu May 08, 2008 5:31 am

Re: HTML entities in email

Post by kb0000 »

You should include HTML charset in the the header
Post Reply