I have a form that I validate that data with, and what I'm wondering is, do I need to sanitize the data JUST to send an email? The email will be sent to a predefined email address. Basically the form just ask for a name, email (of the person using the form), and a url.
Then this gets sent to the predefined email address. IS something like this safe enough to use? Is it vulnerable to use a simple ASP page like this:
<%
dim objMessage
dim FullName
FullName=Request.QueryString("name")
dim email
email=Request.QueryString("email")
dim videourl
videourl=Request.QueryString("video")
dim txtMessage
txtMessage="<b><br><br>Name: " & FullName & "<br>Email: " & email & "<br><br>Video URL: " & videourl
objMessage = CreateObject("CDO.Message")
objMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "localhost"
objMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
objMessage.Subject = "qContest Submission"
objMessage.From = email
objMessage.To = "predefined#email.org"
objMessage.HTMLBody = txtMessage
objMessage.Send
%>
NOTE: This is NOT using any database or anything like that...
Also this script is being called via AJAX, if that matters...
always use Server.HTMLEncode when showig user-posted data in HTML. In this case you put it in the HTMLBody of the email, so I would definitely HTMLEncode:
FullName = Server.HTMLEncode(Request.QueryString("name"))
etc. This avoids the possibility to post vulnerable things like Javascript as that could be executed when opening the email.
Related
I have an ASP.NET website published to Azure from which emails can be sent. Some are plain text but I added a welcome email that is newsletter style with embedded images. The code is VB.NET. I have the system working nicely on our development server displaying a preview before sending the email. On Azure, the code to send the newsletter email is not working. The plain text email goes OK and I have tested the newsletter as an HTML email without the embedded images and that goes through OK. The preview can find the images so I am sure they are there and can be accessed. I do not get any error message, the email just never shows up in the sendgrid account as being processed. The code is as follows:
Try
Dim mymessage = New SendGridMessage
mymessage.From = New MailAddress("do-not-reply#company.co.uk")
mymessage.AddTo(txtemail.Text)
mymessage.Subject = "Welcome Email"
mymessage.Text = plaintext
mymessage.Html = htmlBody
Dim arrct As Integer = arrImages.Count - 1
For i As Integer = 0 To arrct
mymessage.AddAttachment(arrImages(i).ipath)
mymessage.EmbedImage(arrImages(i).fname, arrImages(i).id)
Next
Dim username = ConfigurationManager.AppSettings("emailServiceUserName")
Dim pswd = ConfigurationManager.AppSettings("emailServicePassword")
Dim credentials = New NetworkCredential(username, pswd)
Dim transportweb = New Web(credentials)
transportweb.DeliverAsync(mymessage)
'code here to display success message
Catch exc As Exception
'error code here
End Try
The array of images is populated with a number of images located in a folder as they don't change, like so:
Dim research As String = Server.MapPath("~\ImageTemp\" + query.ImageName)
'Extend the array
ReDim Preserve arrImages(i + 1)
arrImages(i + 1).ipath = respath
arrImages(i + 1).fname = qry.ImageName
arrImages(i + 1).id = "img" & i + 1
I have checked the web and can find others who have problems where the code works on the local server but not on Azure but no answers that help with this specific questions. It must be to do with the way I am handling the images but I can't see it.
Have reviewed
Unable to send emails on Azure Web App using Sendgrid
How to send embedded images with sendgrid emails?
Sending an email with attachment using SendGrid
The answer is to change the addattachment code to this :
Dim arrct As Integer = arrImages.Count - 1
For i As Integer = 0 To arrct
mymessage.AddAttachment(Server.Mappath("~\ImageTemp\" & arrImages(i).fname)
mymessage.EmbedImage(arrImages(i).fname, arrImages(i).id)
Next
We use the built in asp.net membership provider to handle users accounts. The default temporary passwords that the provider creates are a little too complex for our users so I've used the below code to generate one that's a little easier to key in so that they can reset their passwords. It's working perfectly to generate the new passwords and the membership provider is using it instead of the complex one.
Here is where my issue is: When the users request a temporary password the application emails it to them. I'm trying to replace the temporary password with the one I'm generating. You can see in the below screenshots that the password I generate appends to the bottom of the email but I can't get the <%Password%> to be replaced with my new one. What am I missing?
Public Sub PasswordRecovery1_SendingMail(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.MailMessageEventArgs) Handles PasswordRecovery1.SendingMail
Dim User As MembershipUser = Membership.GetUser(PasswordRecovery1.UserName)
Dim msg As String = e.Message.Body
Dim oldpswd As String = User.ResetPassword()
Dim newpass As String = GetPassword()
msg.Replace("<%Password%>", newpass)
msg += "<p>Your new password is: " & newpass & "</p>"
User.ChangePassword(oldpswd, newpass)
e.Message.Body = msg
End Sub
Email Template I'd like to update with newpass
Email that goes to user still has old password and new one at the bottom
Replaced the "<%Password%>" with "<-TemporaryPasswordArea>" in my template, then changed the msg assignment to the following and it's replacing it correctly in the email.
msg = msg.Replace("<-TemporaryPasswordArea>", newpass)
I'm having a difficult time understanding why email I send from my website by using SMTP is going to Outlook's junk mail. Here is my code:
Dim windowsLoginName As System.String = HttpContext.Current.User.Identity.Name
Dim split As String() = Nothing
Dim vname As String
'Get network login name (name only)
split = windowsLoginName.Split("\".ToCharArray)
vname = split(1)
'create the mail message
Dim mail As New MailMessage()
'set the addresses
mail.From = New MailAddress(vname & "#x.com")
mail.To.Add(txtWhoApproves.Text)
'set the content
Dim varstreason, vartxt, vartxt2, varbody As String
varstreason = DropDownList1.SelectedItem.Text
If TextBox1.Text = TextBox2.Text Then
If CheckBox1.Checked = True Then
varbody = TextBox3.Text & " has requested the following time off: " & System.Environment.NewLine & varstreason & " - " & TextBox1.Text & " - All Day"
Else
vartxt = varstreason & " - " & TextBox1.Text
vartxt2 = DropDownList2.SelectedValue & " to " & DropDownList3.SelectedValue
varbody = TextBox3.Text & " has requested the following time off: " & vartxt & " - " & vartxt2
End If
Else
varbody = TextBox3.Text & " has requested the following time off: " & varstreason & " - " & TextBox1.Text & " to " & TextBox2.Text
End If
mail.Subject = "Time Off Approval Requested"
mail.Body = varbody
'send the message
Dim smtp As New SmtpClient("(IP Address of email server)")
'to authenticate we set the username and password properites on the SmtpClient
'smtp.Credentials = New NetworkCredential("username", "secret")
smtp.Send(mail)
I have the email coming from whoever is logged onto the network. Since it's multiple people, I remarked out smtp.Credentials because the password is different for each user (and changes periodically). I'm thinking that this is somehow causing the email to sometimes go into the junk email.
And ideas? How can I prevent these emails from going into junk? We are using an Exchange 2010 server, and Outlook 2007, 2010, or 2013. Thanks in advance!
May be your website is listed as spamming in outlook security systems, or your email contain some spam words or links that causes emails to go in junk or spam box.
Spam filtering for email is based on the content of the subject, message, and attachments. It also filters based on things such as what host/IP you're sending from. If you attempt to send an email via SMTP using a host such as gmail, you'll likely notice it will inbox.
Based on your comments:
The email is coming from your website's SMTP using your domain.
The email is being received by your Exchange server which also uses the same domain.
The emails are only for an internal audience.
From here I would recommend 2 different solutions:
First Solution:
Instead of using your website's SMTP, instead use your Exchange server to send the email. This will work the same as joe#yourcompany.com sending an email to bob#yourcompany.com. The email will never need to leave the server or hit any filters(unless you set up internal filters), so it will not hit the spam box (unless an end user specifically sets it up this way). Check out this site for some help in how to accomplish this: https://www.emailarchitect.net/easendmail/kb/vbnet.aspx
Second Solution:
Use group policies to add the email address to safe senders list for all your users.(https://social.technet.microsoft.com/Forums/office/en-US/c0714d7d-2a42-4b0f-9f1d-63234c7278a0/appending-outlook-safe-senders-list-via-gpo) This seems like it should be an easy solution, but the issue is that it still may not work since you have 2 different servers using the same domain. So although the address may be added in, Outlook may view it as being a different address since it is not coming from the Exchange server. The other option in this solution is to have everyone that gets your email to add it to safe senders directly from the email they receive. That would do it, but hugely inefficient and manual.
For some more in-depth info into the processes and technology behind email, I would recommend checking out the "How Email Works" series of articles by Click-Z (part 1 - https://www.clickz.com/clickz/column/2411041/how-email-works-part-one-the-story-of-send)
I am really struggling with something which is pretty basic and need some help as it was not forthcoming from godaddy support!
For some reason the code below is not sending out any emails.
Code seems to be executed property and riddled it with lots of debug msgs but to no helping!
Te "From" email address is valid and has no issues! Any ideas? Port?
cheers, Jay
<%
Dim objNewMail
Set objNewMail = Server.CreateObject("CDO.Message")
objNewMail.From = "info#example.com"
objNewMail.To = "info#example.com"
objNewMail.Subject = "Interesting property sent by xxx"
objNewMail.TextBody = "Click the following link to see the property :" '& vbcr & vbcr & "http://www.maltawide.eu/default.asp?pid="
' GoDaddy SMTP Settings
'I had to remove the smpt settings as I dont have enough rep to post two links!
Response.Write ("Message sent successfully!")
%>
I'm not sure why your message failed, but here is code from a working mail form hosted at GoDaddy. All you need to do is build the form page to submit the form fields used in the script, or change the form field names in the script to match your existing form, or replace the forms with strings. Examples of both form entry and assigned variable values are included in the example's ' Create the message part of the code.
<%
Dim strBody
Dim strToAddress
Dim strFromAddress
Dim strReplyAddress
Dim strBlindCC
' Create the message
strBody = Request.Form("Message")
strToAddress = Request.Form("ToAddress")
strFromAddress = Request.Form("FromAddress")
strReplyAddress = "NoReply#WebSite.com"
strBlindCC = "BlindCC#WebSite.com"
' Include the schemas
sendUrl="http://schemas.microsoft.com/cdo/configuration/sendusing"
smtpUrl="http://schemas.microsoft.com/cdo/configuration/smtpserver"
' Set the mail server configuration
Set objConfig=CreateObject("CDO.Configuration")
objConfig.Fields.Item(sendUrl)=2 ' cdoSendUsingPort
objConfig.Fields.Item(smtpUrl)="relay-hosting.secureserver.net"
objConfig.Fields.Update
' Send the message
Set objMail=CreateObject("CDO.Message")
Set objMail.Configuration=objConfig
objMail.From=strFromAddress
objMail.ReplyTo=strReplyAddress
objMail.To=strToAddress
objMail.BCC=strBlindCC
objMail.Subject=strSubject
objMail.HTMLBody = strBody
objMail.Send
%>
I have a site that is all static content except the "Contact" page. My hosting service has me on an IIS server, so they gave me generic cdosys.asp file. As you know if you've used a cdosys.asp, you point the form submit from the contact page at it, and the cdosys.asp shoots whatever the site visitor put in the form fields in an email to me, then relays the visitor to a "Thanks for writing" page.
Here's my glitch. The only server-side language I've learned is ColdFusion. No ASP. The cdosys file was simple enough to figure out that I changed a few text strings so it points to my mail server and then the thank-you page. But, my contact input form only requires one out of the three offered fields. Two are optional. But the cdosys is choking on that. It thinks all the fields are required. It only works if all three have content. I Googled all over trying to find an old ASP tutorial. Can some kindly ASP pro out there tell me how to edit the code below to allow two of my three form fields to have no content and still send me an email?
<%
For Field = 1 to Request.Form.Count - 3
FieldName = Replace(Request.Form.Key(Field),"_"," ")
FieldValue = Request.Form.Item(Field)
Body = Body & FieldName & ": " & FieldValue & VbCrLf
Next
'Dimension variables
Dim objCDOSYSCon
'Create the e-mail server object
Set objCDOSYSMail = Server.CreateObject("CDO.Message")
Set objCDOSYSCon = Server.CreateObject ("CDO.Configuration")
'Set and update fields properties
With objCDOSYSCon
'Outgoing SMTP server
.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.domain.com" 'was "SMTPSERVER"
.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 'CDO Port
.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 'Timeout
.Fields("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
.Fields.Update
End With
'Update the CDOSYS Configuration
Set objCDOSYSMail.Configuration = objCDOSYSCon
'Set and update email properties
With objCDOSYSMail
'0=Low, 1=Normal, 2=High
.Fields("urn:schemas:httpmail:importance").Value = 1
'Who the e-mail is from
.From = Request.Form("email_address")
'Who the e-mail is sent to
.To = "myname#domain.com"
'Who the e-mail is CC'd to
.Cc = ""
'The subject of the e-mail
.Subject = Request.Form("email_subject")
'Set the e-mail body format (HTMLBody=HTML TextBody=Plain)
.TextBody = Body
.Fields.Update
'Send the e-mail
.Send
End With
'Close the server mail object
Set objCDOSYSMail = Nothing
Set objCDOSYSCon = Nothing
'Rederect after sending email
Response.Redirect Request.Form("redirect_to")
%>
Try like this:
For Field = 1 to Request.Form.Count - 3
FieldName = Replace(Request.Form.Key(Field),"_"," ")
FieldValue = Request.Form.Item(Field)
if isnull(fieldvalue) then fieldvalue = "(null)"
Body = Body & FieldName & ": " & FieldValue & VbCrLf
Next