I need my .NET desktop app to be able to send various HTML mails, allowing users to create custom templates, including images and possibly CSS style (if they copy/paste the HTML from other sources).
From what I've been reading, it's not that simple:
Images need to be embedded and their links replaced with content IDs
CSS styles containing images also need to be fixed
Background color/image won't work, it's better to wrap the mail in a table and apply the CSS to it
SMTP servers can interpret lines starting with a dot as "end of transmission", so at least a space must be added to all such lines
Who knows what else
My questions are:
Is there anything else I should take care of?
Is there a library which already does this so that I don't reinvent?
One thing I can think of, make use of Alternate views for those recipients whose mail clients can't/won't accept HTML emails (or they've got it turned off). That way they'll get a plain text version, in which you could include a link to an html version live on the web if they decide want to view it.
I have also heard that not including a plain text version increases your likelyhood of being marked as spam - this is due to the fact that many mail filters compare the plain text and html versions of a message; if they differ too wildly it's not a good sign for you :-)
Other spam indicators include html messages which have more pictures than text, and generally sloppy html - broken css, bad links, missing tags etc - consider using some sort of markup validator before sending.
I have found the following CodeProject article, which describes how to embed various image resources into the mail:
Sending the contents of a webpage with images as an HTML mail.
It has some useful examples, although it doesn't seem to include an alternate plain text view, so I will have to add that.
It's still a pity that no-one has put together a library which does this stuff automatically.
Related
I want to create an Asp.net Website and I want to prevent Cross Site Scripting. I have a page with Summernote (a WYSIWYG HTML Editor), which, when submittet, posts HTML Code to MVC ActionResult via form or Ajax Post.
This Method saves this Code in my Database as content/body of a message. On another Site, you can display the content, which shows formating things like Lists etc.
Because of security reasons i want to filter the content i recieve from client. I am using the AntiXSS Library from Microsoft.
A part of my MVC Code:
[ValidateInput(false), HttpPost, ValidateAntiForgeryToken]
public ActionResult CreateMessage(string subject, string body)
{
var cleanBody = Sanitizer.GetSafeHtmlFragment(body);
//do the Database thing here
}
The major problem is, that it kills my HTML Elements with tag, because it removes the src=""
should be:
<p><img src="data:image/png;base64,some/ultra/long/picture/code/here" data-filename="grafik.png"></p>
remaining:
<p><img src="" alt=""><img src=""></p>
What can i do to prevent this?
Is there a way to add an exception rule?
Is there an another better way?
How does it work?
Thanks for help!
There is no such thing anymore as the "AntiXSS Library". It used to be a separate library, but Microsoft moved it into .Net, so it's now under System.Web.Security.AntiXss.
The reason this is important is that you need a sanitizer. The way you are using AntiXss currently will take a list of html tags and a list of attributes to those tags, and will remove everything else from your html code. That's not very good for you, because you only want to remove javascript, regardless of tags or attributes. Let's take for example <a>, with its href attribute. You most probably want to allow your users to insert links, but you don't want them to be able to insert javascript via <a href="javascript: ...">. So you cannot filter out href for <a>, but if you leave it, your page will be vulnerable to XSS.
So you want a sanitizer that only removes javascript. In the original AntiXSS library there was a sanitizer, but when Microsoft moved it to .Net, the sanitizer was left out.
So in short, AntiXss will not help you with your current usecase.
You can find proper html sanitizers like for example Google Caja (client-side sanitizer here), or many others. The point is, even if this sanitizer is in javascript (on the client), if you carefully don't insert your data into the page DOM before sanitizing it, it will all be fine.
So in short, you could just save any data from the HTML editor to your database as is without any transformation (mind sql injection of course, but current data access technologies should have that covered), and then when such data is displayed, send it to the client without adding it to the page dom (like as json data for example, but properly encoded for json then of course!), then run your sanitizer that will remove any javascript, and then add it to the page.
The reason this is very good is because your wysiwyg html editor will likely have a preview screen. Don't forget to add sanitization to previews as well, otherwise the preview will be vulnerable to XSS. If sanitization was on the server, you would have to send the editor contents to the server, sanitize it and send it back to your user for preview - not very user-friendly.
Also note that many wysiwyg editors support hooking into their rendering and adding such a sanitizer. If an editor does not support this and does not have its own sanitizer, that cannot be made secure with regard to XSS.
I have some pre-compiled html content which I want to include in my View like:
#*View Start*#
Some precompiled html
Some view content
Some precompiled html
Some view content
Some precompiled html
#*View End*#
I have already thought of some ways but each of them has some GREAT downsides that I don't want to use it. these are the ways I have thought of:
Although these html codes are pre-compiled with fixed content they may change time to time (let say weekly) so can not be included in view itself
They're rather big in size so I don't think having them in database would be wise (would increase database size and data-bandwith)
Having them in html files and writing them into view using C# functions something like #File.ReadAllText("page-customized-head.html") and this would be slow and would make hard disk busier than it should.
I want to know if anybody can suggest a better solution or a way to improve the above solutions.
Edit:
I had put aside solutions like ajax, as in this situation was not suitable for my design. After #Hadee's comment I noticed that my description is not complete, so I'm adding some more description.
These content files can be unique for different pages of different users as user can customize css, js. add - edit remove html elements. So each user may have several pages that each page may have several different "Pre-Compiled" section.
As these content may be the head section of the page, may contain css, js (that following content may rely on it), ... ajax is not suitable in here.
And as for partial views, I don't see any different between them and having the content written into html file. Actually I think html file and #File.ReadAllText("page-customized-head.html") would be faster, as unlike .cshtml it does not need compiling.
I have a web page that uses a webmail service to send emails. This is on an company intranet using a Microsoft Exchange server. My website created an email with a link to an image handler on my website. In my code, I can print some debug messages and I see:
<img src='http://tav.target.com/VIBEHandler.ashx?id=z064441_45975&type=Amazing'/>
But in the email, when I view the source code, I see this:
<img src="http://tav.target.com/VIBEHandler.ashx?id=z064441_45975&type=Amazing"/>
My single quotes changed to double quotes (no big deal).
&
changed to
&
This causes the URL to not work and images appear as the red "x", indicating a missing image.
How can I preserve my URL?
Your 3rd party emailing service might be converting your HTML document to a valid XML document for compatibility reasons.
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
Basically, in XML, an ampersand character represents and XML entity, and can not be used unless you place the text within a CDATA node. Your 3rd party service seems to just be converting the & to & , which would work to safely display the value, but doesn't do too much for a URL.
http://www.w3schools.com/xml/xml_cdata.asp
If I were in your situation, I would URL encode the image URL when generating the HTML document that is being sent out. This way, it is both a proper link, and a valid XML string.
HttpUtility.UrlEncode(myUrlString);
http://msdn.microsoft.com/en-us/library/4fkewx0t%28v=vs.110%29.aspx
Hope this helps!
The best solution we could come up with is to use a single variable with multiple values separated with an underscore. This eliminates the need for the '&' symbol entirely and makes everything happy and compatible.
The URL is basically a link to an image handler so we can include images in emails without the use of attachments, shared drives, etc. The image handler can also do things like merge images together to create a single image (WAY better than trying to overlap images in emails which almost NEVER works). I simply added some code to the image handler that can check for and dissect the "meta-variable" in my URL.
http://sample.com?var=ONE_TWO_THREE
http://sample.com?var1=ONE&var2=TWO&var3=THREE
The URL now looks more clean and can have as many variables as I want so long as I put everything in the exact correct order, read it all in using the same sequence, don't miss anything, and document everything well. I COULD go one step farther and specify what each variable means:
http://sample.com?var=first-Nicolai_last-Dutka_age-34_etc-foobar
But that just tells the whole world what all my variables mean! Hypothetically, I could do:
http://sample.com?var=24154#kja&nl897q45pjkh8&&^HJ435
Then it would be up to me to determine where the breaking points are to bust that up into the variables:
24151, kja*, n1897, 45, etc
Of course, I'm not going to be that complex and will likely just stick to:
http://sample.com?var=ONE_TWO_THREE
Enjoy!
I have a Win Form application that does some boring accounting stuff and then sends it's data to some lucky recipients. I am using the Outlook 12.0 Interop objects and my applications environment ranges from office 2003 on XP to office 2007 on Win 7.
My issue lies with sending the corporate signature with the sent emails.
It contains two images and I would like to embed these images so they appear to be part of the body (assuming the receiving mail client supports that).
I have tried a few different methods of accomplishing this; but still no luck!
I have tried:
Extracting the html data from the signatures folder, changing the
html img tags src attribute to include 'file///'. This causes Outlook
to replace the 'file///' with 'CID' and I assumed it would also embed
the image... we should never assume :|. This is the method I found
worked best for getting the rest of the signature.
(After creating a new MailItem) - Grabbing the HTMLBody of the MailItem
and extracting the relevant part including the signature... This
didnt work due to the new MailItem object being very inconsistent
with it's signature. By that I mean sometimes the new item would
include the signature and sometimes it wouldn't! :s I cannot figure out why it is not always there, no other part of my code has changed!
I read on another post here about the GetInspector property... Apparently just calling this will do 'Some stuff' and the signature will magically appear in your mail item... NO!
Things I can't do:
I cannot (as much as i would like to) shove the images online
somewhere and point to them in the emails html.
I cannot use SMTP(It has to be through Outlook... sigh).
I am thinking that the best way seems to be my original method of messing about with the CID, but I do not really know much about what Outlook is doing in the background so I am having trouble figuring out what else I need to do to get the images sent along with the email.
Hoping someone out there has some idea about what I am doing wrong or what else I could try.
Please let me know if code would be helpful and I will post, (Most of the code tried is from this site... I just cannot find the links again and am trying to avoid making this question tooooo long).
Many thanks
This is not the most efficient or flexible solution you can use, but probably the most robust and portable. You can convert your image bitmap into plain HTML and embed that HTML in your e-mail signature.
The conversion is quite simple, you can use the utility I wrote (open source) here.
I am working on this small application that receives XML, converts it into HTML, and sends it to recipients. I want to create HTML in the message body that I will be able to work with, such as a text-area that the recipient will be able to write some text in and send it back to the sender. Is this possible, or can I insert just HTML With links into the mail body? I'm writing the app in C#.
Yes, it is feasible to include form fields in an HTML email, but it is not something you should get into the habit of doing. There are several problems with this approach:
If you come to rely on those forms, you run into problems with email clients that either don't support or don't enable HTML emails. It is certainly possible to include a separate text email, but you also run into problems where email clients will impose limits on message length that may run afoul of lengthy stretches of HTML code.
Even if the client does support HTML emails, HTML forms in emails are considered by many to be a security risk, so some email clients that allow HTML emails in general will disable HTML forms altogether.
You're better off including in every type of email you send out, plain text or HTML, a link to an HTML form on your site. This gives you one standardised form to secure, configure, and support, and also prevents you from dealing with email clients that don't support your message. Incidentally, since many email clients don't support Javascript, regardless of their support for HTML, you're somewhat limited in what you can work into HTML forms when you include them in the body of an email.
EDIT: For further reading, consult this link or this answer, both of which make similar points.