Using untrusted input to construct an email's body can result in multiple security vulnerabilities. For instance, including untrusted input in an email body may allow an attacker to perform cross-site scripting (XSS) attacks. In contrast, the inclusion of an HTTP header may even allow a complete account compromise. It is recommended to avoid trusting untrusted data without careful scrutiny and avoid HTTP headers inclusion in the email's body.
func mail(w http.ResponseWriter, r *http.Request) {
host := r.Header.Get("Host")
token := os.Getenv("TOKEN")
// NOTE: Directly using host from r.Header i.e., from the Host header.
// Should be avoided.
body := "Reset password? Try: " + host + "/" + token
err := smtp.SendMail("addr", nil, "[email protected]", nil, []byte(body))
if err != nil {
// ...
}
}
func mail(w http.ResponseWriter, r *http.Request) {
host := config.Get("Host")
token := os.Getenv("TOKEN")
// NOTE: Instead of directly taking the host from the request's
// Host Header, it is taken from "config" which is a much safer
// option.
body := "Reset password? Try: " + host + "/" + token
err := smtp.SendMail("addr", nil, "[email protected]", nil, []byte(body))
if err != nil {
// ...
}
}