All geek questions in one place

Should email users hide html?

I am going to send an html email address to a code that may contain insecure user input. I noticed that if I exit the object with html, GMail will then display the escaped content (so if my object is "This & That" , which I sanitize as "This & That" , Gmail displays the latter). The same goes for Thunderbird. Can we assume that all email clients do not need an html object that has been escaped?

+6
source share
3 answers

No need to encode HTML objects in the subject line. The reason for encoding in the body of HTML is because you use XHTML, which, since it comes from XML, treats & as a reserved character.

However, the subject line of the message is not in HTML, XML or XHTML. It is just plain text. Because of this, you do not need to encode the ampersand as & . If you encode it because it is not parsed as HTML, it will be displayed as encoded.

If you want to include non-ASCII characters (like £ ), you need to encode the entire "envelope" (including the body of the email) as UTF-8.

Thus, the code will show the following:

  | Subject Line | Body ==================================== & | & | & & | & | & UTF-8 £ | £ | £ ASCII £ | n/a | n/a £ | £ | £

NB: Microsoft Office has a strange implementation of UTF-8, so not all UTF-8 characters will work.

+5
source

The Subject field is outside the "HTML content". It has nothing to do with HTML.

However, I have no link for this ...

+2
source

The theme does not have to be html escaped, however they can be escaped. The original SMTP specification specified that messages should be ascii ( RFC822 Section 3). This has been confirmed in RFC2822 , however RFC2047 defines headers that allow you to encode header fields in mime messages to allow text without ascii.

This coded word format allows utf-8 encodings to be used in email headers. For instance:

 =?iso-8859-1?q?this=20is=20some=20text?=

This is an encoded version of ISO-8859-1 "it's some kind of text." This method can be used to enode things like the pound symbol (£) or accented / non-ascii characters.

+2
source

Source: https://habr.com/ru/post/917908/

More articles:


All Articles