Email documentation

[James Bennett]

Just saw the new email documentation added today, which is pretty
handy. I do have one question, though, which might be good to address
there:

When writing a view which will send email in response to input (say, a
contact form), does a developer need to perform the sort of input
validation common in, say, PHP, in order to prevent injection of
additional headers? From looking at how the email is constructed in
django/core/mail.py I'm guessing yes, but this would be something good
to mention in the docs, maybe with a link to a tutorial on doing
strong input validation (like this one, perhaps, though it's
PHP-specific: http://securephp.damonkohler.com/index.php/Email_Injection)

--
"May the forces of evil become confused on the way to your house."
-- George Carlin

[James Bennett]

And also, mightn't it be a good idea to do a little validation in
send_mass_mail(), at the very least checking to make sure that the
various fields it puts together don't contain anything that looks like
an attempt to inject an additional header?

[Grigory Fateyev]

Hello James Bennett!

There is a path #464 to set character of email. Will it be add? Smb
knows?

--
Всего наилучшего!
greg [at] anastasia [dot] ru Григорий.

[Adrian Holovaty]

On 12/27/05, James Bennett <ubern...@gmail.com> wrote:
> When writing a view which will send email in response to input (say, a
> contact form), does a developer need to perform the sort of input
> validation common in, say, PHP, in order to prevent injection of
> additional headers?

Good call! I've updated docs/email.txt to point out input needs to be validated.

Also, in revision 1795, I tightended up the Django mail functions so
that they don't accept newlines in any header. Docs are updated for
that as well.

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org