#34753: Document how to safely construct email addresses
--------------------------------------+------------------------------------
Reporter: Sylvain Fankhauser | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version:
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Mike Edmunds):
I would suggest reworking the entire existing "Preventing header
injection" section as part of this change. Both the text and example can
be improved.
A more useful example might be actually treating it as a typical contact
form, with name, email, subject and message fields:
- from_email would be `f'"{name} via contact form" <contact-
[email protected]>` (but formatted ''safely'')
- to would be a constant (`["[email protected]"]` or something like
that)
- reply_to would be `[f"{name} <{email}>"]` (but formatted ''safely'')
- subject & body would come from the form
This corrects another problem in the current example: trying to use an
email from a web form as the from_email. (No email service lets you send
messages ''from'' any random address.)
--
Ticket URL: <https://code.djangoproject.com/ticket/34753#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019aeba1d8ec-d60e43f3-8004-4413-9f4d-b69fe4b9f7f7-000000%40eu-central-1.amazonses.com.
