Swift filters?

Swift Mailer is a fantastic library for sending email with php. Discuss this library or ask any questions about it here.

Moderators: Chris Corbyn, General Moderators

Post Reply
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Swift filters?

Post by Oren »

Does Swift do any filtering of the data or supply a class that does so? Or it's totally up to me?
Do I even need to do it or my mail program will do it anyway?

Let's say I have a contact form and I wanted the message to be sent to my email using Swift. Do I need to do anything or I can pass $_POST['msg'] directly to Swift?
Is there any danger in this?

Thanks.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I worry about injection in the headers and internationalization in the body (assuming you have your web page set up with the correct charset swift is set to use). It's won't filter XSS attacks in HTML emails though. Use HTMLPurifier for that. Hmm... that could actually be a new plugin :)
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Ok, thanks. I guess I'll just play with this a little bit and see what happens when I open my mail after sending to myself something like "<script>XSS!</script>" and friends without any filtering :P

I'll post the results later on - maybe tomorrow or whenever I'm done with the testing.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Oren wrote:Ok, thanks. I guess I'll just play with this a little bit and see what happens when I open my mail after sending to myself something like "<script>XSS!</script>" and friends without any filtering :P

I'll post the results later on - maybe tomorrow or whenever I'm done with the testing.
You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves ;)
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

d11wtq wrote:You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves ;)
Exactly, that's why I asked if there is any need to filter it at all. Then what do you say, I can just pass $_POST['msg'] to Swift or what?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Oren wrote:
d11wtq wrote:You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves ;)
Exactly, that's why I asked if there is any need to filter it at all. Then what do you say, I can just pass $_POST['msg'] to Swift or what?
I'd still filter it with HTMLPurifier. It's a piece of cake and there's no harm in filtering yourself. You can't rely on other people's security :)
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

d11wtq wrote:there's no harm in filtering yourself.
Now that sounds funny, say it loudly :lol: :lol: :lol:
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Oren wrote:
d11wtq wrote:there's no harm in filtering yourself.
Now that sounds funny, say it loudly :lol: :lol: :lol:
Image
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

What?
gr8dane
Forum Newbie
Posts: 19
Joined: Wed Aug 22, 2007 3:12 am

Post by gr8dane »

Chris Corbyn wrote:I'd still filter it with HTMLPurifier.
If I understand it correctly, HTMLPurifier cleans up HTML. So I'm curious why you recommend it's use, in conjuction with SwiftMailer, for filtering input from a contact form. What does it do to data that doesn't (or shouldn't) contain HTML markup that makes it more secure? Would just using these two together assure me of a secure form, or are there still things I should do in addition? Also, how would I implement the two together (this is all new to me, so the more details, the better)?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If the input data is not HTML, do not run HTML Purifier on it.

There. I've said it.

On the other hand, if the input data is HTML...
Post Reply