I am working on this small application that receives XML, converts it into HTML, and sends it to recipients. I want to create HTML in the message body that I will be able to work with, such as a text-area that the recipient will be able to write some text in and send it back to the sender. Is this possible, or can I insert just HTML With links into the mail body? I'm writing the app in C#.
Yes, it is feasible to include form fields in an HTML email, but it is not something you should get into the habit of doing. There are several problems with this approach:
If you come to rely on those forms, you run into problems with email clients that either don't support or don't enable HTML emails. It is certainly possible to include a separate text email, but you also run into problems where email clients will impose limits on message length that may run afoul of lengthy stretches of HTML code.
Even if the client does support HTML emails, HTML forms in emails are considered by many to be a security risk, so some email clients that allow HTML emails in general will disable HTML forms altogether.
You're better off including in every type of email you send out, plain text or HTML, a link to an HTML form on your site. This gives you one standardised form to secure, configure, and support, and also prevents you from dealing with email clients that don't support your message. Incidentally, since many email clients don't support Javascript, regardless of their support for HTML, you're somewhat limited in what you can work into HTML forms when you include them in the body of an email.
EDIT: For further reading, consult this link or this answer, both of which make similar points.
Related
I want to create an Asp.net Website and I want to prevent Cross Site Scripting. I have a page with Summernote (a WYSIWYG HTML Editor), which, when submittet, posts HTML Code to MVC ActionResult via form or Ajax Post.
This Method saves this Code in my Database as content/body of a message. On another Site, you can display the content, which shows formating things like Lists etc.
Because of security reasons i want to filter the content i recieve from client. I am using the AntiXSS Library from Microsoft.
A part of my MVC Code:
[ValidateInput(false), HttpPost, ValidateAntiForgeryToken]
public ActionResult CreateMessage(string subject, string body)
{
var cleanBody = Sanitizer.GetSafeHtmlFragment(body);
//do the Database thing here
}
The major problem is, that it kills my HTML Elements with tag, because it removes the src=""
should be:
<p><img src="data:image/png;base64,some/ultra/long/picture/code/here" data-filename="grafik.png"></p>
remaining:
<p><img src="" alt=""><img src=""></p>
What can i do to prevent this?
Is there a way to add an exception rule?
Is there an another better way?
How does it work?
Thanks for help!
There is no such thing anymore as the "AntiXSS Library". It used to be a separate library, but Microsoft moved it into .Net, so it's now under System.Web.Security.AntiXss.
The reason this is important is that you need a sanitizer. The way you are using AntiXss currently will take a list of html tags and a list of attributes to those tags, and will remove everything else from your html code. That's not very good for you, because you only want to remove javascript, regardless of tags or attributes. Let's take for example <a>, with its href attribute. You most probably want to allow your users to insert links, but you don't want them to be able to insert javascript via <a href="javascript: ...">. So you cannot filter out href for <a>, but if you leave it, your page will be vulnerable to XSS.
So you want a sanitizer that only removes javascript. In the original AntiXSS library there was a sanitizer, but when Microsoft moved it to .Net, the sanitizer was left out.
So in short, AntiXss will not help you with your current usecase.
You can find proper html sanitizers like for example Google Caja (client-side sanitizer here), or many others. The point is, even if this sanitizer is in javascript (on the client), if you carefully don't insert your data into the page DOM before sanitizing it, it will all be fine.
So in short, you could just save any data from the HTML editor to your database as is without any transformation (mind sql injection of course, but current data access technologies should have that covered), and then when such data is displayed, send it to the client without adding it to the page dom (like as json data for example, but properly encoded for json then of course!), then run your sanitizer that will remove any javascript, and then add it to the page.
The reason this is very good is because your wysiwyg html editor will likely have a preview screen. Don't forget to add sanitization to previews as well, otherwise the preview will be vulnerable to XSS. If sanitization was on the server, you would have to send the editor contents to the server, sanitize it and send it back to your user for preview - not very user-friendly.
Also note that many wysiwyg editors support hooking into their rendering and adding such a sanitizer. If an editor does not support this and does not have its own sanitizer, that cannot be made secure with regard to XSS.
In the asp.net (c#) application that im using/ building I am sending an email with spacing between words u use Tabs in the body but they never seem to be acting the same when going to an other email browser.
Is there a way to get them to act the same in Gmail and Outlook of even in Outlook 14.0 and 15.0?
Name:{{ Customer.Surname}}
Email: {{ Customer.Email}}
You could format your mail body as HTML and provide a stylesheet that specifies the spacing. A lot more work than just throwing tabs in, but the results will be more consistent.
I'm not sure I understand your question correctly, but you cannot use tabs to format emails reliably.
If you want to format your emails you need to create emails with an html part that includes the formatting that you need.
so i have an email body I need to send in an email in outlook using a program I wrote in C#.
The body string has newline characters in it. I have tried everything to keep outlook from filtering them out. I even have the take out new lines option disabled and it still does it. I have tried every trick i could find on the web. I have tried Enviroment.NewLine and \r\n and anything else. It is so frustrating. Does anyone have any explanation???
If the message is sent as plaintext, most recent versions of Outlook will remove whatever it determines as extraneous newlines in the message to improve readability. Only the end user with the Outlook client has the ability to override this behavior and can do so on a message by message basis.
If you would like to have more control over the layout and formatting of the message, then you should generate your message body as an HTML message rather than a plaintext message. Of course this means that you have to do a little more work to create the message layout you want to use, but it will result in a very nice presentation and gives you much more control over things like vertical alignment and such that you cannot do reliably using just plaintext alone.
I need my .NET desktop app to be able to send various HTML mails, allowing users to create custom templates, including images and possibly CSS style (if they copy/paste the HTML from other sources).
From what I've been reading, it's not that simple:
Images need to be embedded and their links replaced with content IDs
CSS styles containing images also need to be fixed
Background color/image won't work, it's better to wrap the mail in a table and apply the CSS to it
SMTP servers can interpret lines starting with a dot as "end of transmission", so at least a space must be added to all such lines
Who knows what else
My questions are:
Is there anything else I should take care of?
Is there a library which already does this so that I don't reinvent?
One thing I can think of, make use of Alternate views for those recipients whose mail clients can't/won't accept HTML emails (or they've got it turned off). That way they'll get a plain text version, in which you could include a link to an html version live on the web if they decide want to view it.
I have also heard that not including a plain text version increases your likelyhood of being marked as spam - this is due to the fact that many mail filters compare the plain text and html versions of a message; if they differ too wildly it's not a good sign for you :-)
Other spam indicators include html messages which have more pictures than text, and generally sloppy html - broken css, bad links, missing tags etc - consider using some sort of markup validator before sending.
I have found the following CodeProject article, which describes how to embed various image resources into the mail:
Sending the contents of a webpage with images as an HTML mail.
It has some useful examples, although it doesn't seem to include an alternate plain text view, so I will have to add that.
It's still a pity that no-one has put together a library which does this stuff automatically.
I want to integrate our bug tracker system and our Support system through emails.
The bug tracker can kick out an email on every change to bugs/features. I want to download those emails, parse them and create a formatted email that the Support system can understand (ie the subject could be "Issue #4128 fixed").
What is the simplest way to accomplish this using C++ or C#?
Martin, I'd say there's no "simplest" way to do this. The easy part is downloading the e-mail. (If that's what you need help with, say so and I'll post some C# code that does this.) How you parse the e-mail depends on the format of the message.
For instance, if the body of the message contains the data you want to provide to your support system, your approach will be different than if that data is included as an attachment to the message.
With more information, I'm sure we can be more helpful.