Create an encodeForEmail() function

[skotfred]

It would seem that a rule for email would not completely match any of the existing rules. Additionally, this seems to be a value that is an obvious choice for reflected attacks.

[jmanico]

Can you give us an exact example of what you want to do? I don't see it yet...

Aloha, Jim

On 3/4/21 10:11 AM, Scott Fredrickson wrote:

It would seem that a rule for email would not completely match any of the existing rules. Additionally, this seems to be a value that is an obvious choice for reflected attacks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/46, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCPUPAQU2YPQHTS7BYDTB6PLZANCNFSM4YTNTXYQ.

[skotfred]

Obviously this is an edge case, but one example would be for cases where a user enters "example@domain.com" as it could be reflected back to the output.

[jmanico]

Normal output encoding will suffice, we don’t need a special encoder for this. If the email is in an attribute then do attribute encoding, etc.

-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Mar 4, 2021, at 1:49 PM, Scott Fredrickson notifications@github.com wrote:

 Obviously this is an edge case, but one example would be for cases where a user enters "example@domain.com" as it could be reflected back to the output.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[jmanico]

Normal encoding will work here, politely closing this out.