encode_entities for sendmail

tomazos has asked for the wisdom of the Perl Monks concerning the following question:

I am automating an email with text from an untrusted scalar $body.

    use HTML::Entities;

    open MAIL, q(|/usr/lib/sendmail -t -f 'bar@bar.com')
            or die 'cant open sendmail';

    print MAIL "From: foo <bar\@bar.com>\n";
    print MAIL "To: boo <far\@far.com>\n";
    print MAIL "\n";
    print MAIL encode_entities($body),"\n";
    print MAIL ".\n";
    close MAIL;
[download]

The encode_entities is clearly overkill.

Is there an equivilant for whatever encoding is correct for email? Or would no encoding be safe even though $body is untrusted?

-Andrew.

Andrew Tomazos | andrew@tomazos.com | www.tomazos.com

Comment on encode_entities for sendmail Download Code

Replies are listed 'Best First'.

Re: encode_entities for sendmail
by jasonk (Parson) on Aug 18, 2005 at 13:05 UTC

It really depends more on what the receivers of the email are doing with it. Not encoding with anything would be plenty safe for most mail clients that don't render HTML, running it through encode_entities would probably protect most of those that do render HTML, and even running it through s/\W// may not make it safe enough for Outlook...

We're not surrounded, we're in a target-rich environment!

[reply]
[d/l]

Re: encode_entities for sendmail
by merlyn (Sage) on Aug 18, 2005 at 14:01 UTC

Best instead to avoid calling sendmail from a pipe directly, and using one of the wrapper modules, like Net::SMTP or Mail::Sendmail.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

[reply]