Create an encodeForEmail() function
skotfred opened this issue · 4 comments
skotfred commented
It would seem that a rule for email would not completely match any of the existing rules. Additionally, this seems to be a value that is an obvious choice for reflected attacks.
jmanico commented
Can you give us an exact example of what you want to do? I don't see it
yet...
Aloha, Jim
…On 3/4/21 10:11 AM, Scott Fredrickson wrote:
It would seem that a rule for email would not completely match any of
the existing rules. Additionally, this seems to be a value that is an
obvious choice for reflected attacks.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#46>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEBYCPUPAQU2YPQHTS7BYDTB6PLZANCNFSM4YTNTXYQ>.
skotfred commented
Obviously this is an edge case, but one example would be for cases where a user enters "example@<script>alert('xss');</script>domain.com" as it could be reflected back to the output.
jmanico commented
Normal output encoding will suffice, we don’t need a special encoder for this. If the email is in an attribute then do attribute encoding, etc.
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Mar 4, 2021, at 1:49 PM, Scott Fredrickson ***@***.***> wrote:
Obviously this is an edge case, but one example would be for cases where a user enters "example@<script>alert('xss');</script>domain.com" as it could be reflected back to the output.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
jmanico commented
Normal encoding will work here, politely closing this out.