Sanitizing The Contact Form : Required?


Well-known member
I'm wondering if one should really bother about sanitizing the inputs from the contact us form? Looking at XenForo's actionContact(), it doesn't seem to check if the input contains anything malicious. Since the stuff is directly being passed to the mail handler, is it really worth sanitizing the contact us form?

If yes, what inbuilt functions / methods are employed to ensure inputs are all safe?


Well-known member
I could be wrong, but I believe the inputs are filtered (sanitized)..
$input = $this->_input->filter(array(
         'subject' => XenForo_Input::STRING,
         'message' => XenForo_Input::STRING
That should strip out control characters and other items. Take a look at the XenForo_Input class for more info.

Anything else I would think would be handled by the server virus scanner and the end user's virus scanners.


Well-known member
Thank you @Snog . I'm however not sure if the 'filter' would actually filter or sanitize the input information. Can someone confirm this?
By filter and sanitize do you mean remove code, like: <script> blah blah blah</script>? If so, then it doesn't for the contact us form. Which should not be a concern as email clients won't process this in the body anyways.

IMO, it is not worth sanitizing as I want to see what malicious code someone is trying to send, and then why.


Active member
@TheBigK The template engine takes care of escaping all HTML. If you escape it first, then it's going to get double-escaped, and you'll have emails that look like &lt;span class=&quot;banana&quot;&gt;this&lt;span&gt;.

... as I want to see what malicious code someone is trying to send, and then why.
Because you have a contact form.