include::../description.adoc[]

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

* Use an email library which sanitizes headers (Flask-Mail or django.core.mail).
* Use html escape functions to sanitize every piece of data used to in the email body.
* Verify application logic to make sure that email base feature can not be abuse to:
** Send arbitrary email for spamming or fishing
** Disclose sensitive email content

== Sensitive Code Example

smtplib

----
import smtplib

def send(from_email, to_email, msg):    
  server = smtplib.SMTP('localhost', 1025)   
  server.sendmail(from_email, to_email, msg) # Sensitive
----
Django

----
from django.core.mail import send_mail

def send(subject, msg, from_email, to_email):    
  send_mail(subject, msg, from_email, [to_email]) # Sensitive
----
Flask-Mail

----
from flask import Flask
from flask_mail import Mail, Message

app = Flask(__name__)

def send(subject, msg, from_email, to_email):    
    mail = Mail(app)
    msg = Message(subject, [to_email], body, sender=from_email)
    mail.send(msg) # Sensitive{code}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 28 Oct 2019, 07:42:43 Alexandre Gigleux wrote:
LGTM

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]