{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 啃猪蹄的小仙女 的问题《PHP's mail(): What are potential issues to wat》','https://www.manongdao.com/q-1207759.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Given a contact form that accepts custom user input (e.g. address, subject line, message), what are some security implications and "gotchas" to be careful of?
At a minimum, the user's email address will have to be validated (likely using filter_var() or equivalent). From what I've read, this should also prevent additional headers from being injected into the script.
What about the subject line and message content though? Is any sanitation required for those fields? I figure an email client would prevent things like scripts from running automatically, and I'm not particularly worried about things like HTML tags (if someone wants to spend the time to style an email by hand, that's their prerogative - I just won't be seeing it :P). If sanitation is required, what's the best way of doing it without being too intrusive (i.e. keeping the nature of the email the same)?
Ensure that people cannot inject linebreaks in anything but the body. Additionally make the recipient static and never pass it e.g. through a hidden form field. However, adding such a field is not a bad idea; but block the IP if it's not set to the expected value - then your client is probably a spam bot.
If you are using the fourth argument, the optional headers, watch for inserting of extra headers, if you are doing something like this...
If
$emailcomes from user input and is not sanitized, a user could enter something like...\n\rCC:spammer@spamzilla.comYou can avoid this by filtering out
\nand\r, or validating$emailusing thefilter_var($email, FILTER_VALIDATE_EMAIL)function.