Hi All,
I am building an input filter and using the white list approach. I am going to allow only the following characters:
a-z A-Z 0-9 . - _ @ ' # ~ space
I realize that the email specification allows for other characters however I am worried about what a bad guy may be able to do if I allow every character included in the specification. Are there other characters I should allow? Any of these I should exclude?
Also, any thoughts on stripping out illegal characters versus rejecting the input?
I am a bit concerned about re-displaying the offensive string in the web browser to allow the user a chance of correcting it. Am I being too paranoid?
Any help or comments are appreciated. Thanks!
cmccully
