(PHP) HTML entities in emails

gr8dane · #1 (**permalink**) 04-15-2008, 08:32 PM

I'm using values entered in a form to send an email using the mail() function. When the form is posted, I apply the htmlspecialchars() function to the values. The problem comes when I send the email: The HTML entities don't get translated in the email. I've considered decoding the values before I use them in the email, but wouldn't that open me up to the security problems the encoding was meant to avoid?

mono · #2 (**permalink**) 04-16-2008, 05:51 PM

You need to analyze the html entities that are getting sent to you and determine whether you want to place them in emails that go out as yours. For example, scripts, probably not. HTML tags... do you really want arbitrary ones in your emails? Personally I strip all tags. What sort of html things would you want to preserve?

gr8dane · #3 (**permalink**) 04-16-2008, 07:29 PM

I strip all tags, too. The problem is that my emails are getting sent as text, not HTML, so that an apostrophe, for example, that's been transformed into an entity doesn't get translated back into an apostrophe in the message.

I'm just starting to learn about how to make emails secure, so I'm not very clear about what kinds of malicious content might get sent through a form that could cause problems in an email. Would decoding the entities with htmlspecialchars_decode() make my emails vulnerable?

httpman · #4 (**permalink**) 04-16-2008, 07:54 PM

To translate those entities in their html counterpart, you must send the email as a HTML email, not a TEXT. With PHP mail() function, this is done using the 4th parameter ($more below) :

mail($to,$subject,$mess,$more)

this 4th parameter is used to add any standard e-mail header information, for instance :

$more="From: xxxxxx\n"
."Cc: yyyyyy\n"
. "Bcc: zzzzzz\n"
. "Content-Type: text/html; charset=\"iso-8859-1\"\n";

xxxx, yyy and zzzzz stands for email addresses.
The "content-type" is set to text/html, this will force the email to HTML, and any special hml tag or specialchar will be translated. For instance if you place a <b>xxx</b> in your message, it will appear as xxxx in bold.

The charset depends of the set you are using in your email. 8859-1 is used in Europe, it supports our special characters with those little accents above.

JP

youds · #5 (**permalink**) 04-17-2008, 03:51 AM

Read this!!!!
The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!) - Joel on Software

You have control over all areas of sending this email, is the character encoding the same in your web site as in your email???
Really, you shouldn't need any special functions like that, unless you want to convert & to &.
Those functions are intended for when you don't have control over the input/output encodings!!!!!

crossland · #6 (**permalink**) 04-17-2008, 05:58 AM

You might want to look at some of the email packages that are available for PHP.
They make this sort of thing alot easier. One example is the Pear email package for PHP.

Hope this helps,

Tim
WebSphere MQ 7

Faglork · #7 (**permalink**) 04-17-2008, 08:19 AM

Quote:

Originally Posted by youds

Really, you shouldn't need any special functions like that, unless you want to convert & to &.
Those functions are intended for when you don't have control over the input/output encodings!!!!!

Yep.

I ran into the same problem when switching my sites from ISO to UTF-8 (unicode).

Simplest solution: Use a UTF-8 capable mail prog, like NMS' TFMail. You can download it here:
nms - web programs written by experts

It has some other nice features as well, and is currently my preferred formmail solution.

hth,
Alex