[wp-hackers] wp_mail and header injection prevention

Olivier autremonde75 at gmail.com
Sun May 9 16:20:12 UTC 2010


I am hooking on the wp_mail_from and the wp_mail_from_name on one of
my plugins to modify the source email address and the from name field.

I have checked the wp_mail function and looks like it assumes that the
filtered values are valid (unless I am wrong, I don't see any sort of
sanity check on the values returned by the filters which is fine as it
could be seen as a security enforcement). I am not sure if the fact
that the parsing to separate the fields (from, cc, subject, etc...)
has already been performed is enough to guarantee security.

I'd like to understand what kind of checks I could add in my filtering
functions to ensure that no mail header injection is performed. I have
used the is_email function for the email @. What about the from_name?
I am usually putting in it the user meta first and last name. If I
escape these using the esc_attr or esc_html, it doesn't sound very
appropriate as entities are converted and thus display is a mess. What
the about the \r\n risk?

For the mail content, as by default, it is set as plain text and not
html, there is no worry about it as far as I understood, right?


More information about the wp-hackers mailing list