Comments (2)
The "To: " field in the SMTP protocol allows a comma separated to send an emial to multiple recipients at once.
Let me make sure I'm understanding your problem correctly... Are you talking about the SMTP protocol or the nodemailer
module? I don't think the dice server code is doing raw SMTP. IIRC, SMTP requires a separate RCPT
command be sent to the server for each recipient. I don't believe multiple recipients are specified in a single comma-separated list passed to one RCPT
command.
Looking at the nodemailer
docs, I see where the to
field of the configuration passed to sendMail()
says it accepts a comma-separated list of addresses. Presumably, the library handles breaking up the comma-separated list into multiple RCPT
commands when it communicates with an SMTP server.
I'm going to assume going forward that it's the nodemailer
API that's what you're concerned about regarding the need to escape commas.
I don't think there's a limit to this, so a maliciously crafted parameter could trick the server into sending a registration email to hundreds of people using just a single request.
Since a comma is not a valid character in an SMTP address per RFC 5322, could we not simply just validate the incoming address to ensure it is valid before sending the registration email? That is, we basically guarantee that no comma-separated list is ever passed in the to
field of the sendMail()
configuration.
from dice-server-js.
That's exactly what I meant.
I wasn't sure about the comma thing probably because it is a valid character if put in quotes put before the actual email as display name, probably what confused me.
from dice-server-js.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dice-server-js.