include::../description.adoc[]

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

* Use an email library which sanitizes headers (java.mail >= 1.5.6).
* Use html escape functions to sanitize every piece of data used to in the email body.
* Verify application logic to make sure that email base feature can not be abuse to:
** Send arbitrary email for spamming or fishing
** Disclose sensitive email content

== Sensitive Code Example

----
import javax.mail.*;
import javax.mail.internet.MimeMessage;

public class Main {
    public static void sendEmail (Session session, String subject) throws MessagingException{
        Message message = new MimeMessage(session);  // Sensitive

        // For example the setSubject method is vulnerable to Header injection before
        // version 1.5.6 of javamail
        message.setSubject(subject);
        // ...
    }
}
----

include::../see.adoc[]