On Thu, 19 Mar 2020 21:04:05 +0000, Martin Gregorie wrote:

> On Thu, 19 Mar 2020 20:30:58 +0000, Richard Kettlewell wrote:
>
>> That’s fundamentally the wrong approach. Instead, use an appropriate
>> quoting/escaping scheme. See
>> https://cheatsheetseries.owasp.org/cheatsheets/
> Cross_Site_Scripting_Prevention_Cheat_Sheet.html
>> for many examples.
>>
> Interesting stuff, but its all HTML and JS-related - nothing much there
> I can use outside that environment.
>
> I'm dealing with bog standard e-mails which can have been sent from
> almost any hardware using almost any software and at the immediate point
> of interest, are being passed between by processes written in Python, C
> and bash. My immediate concern is to sanitise sender addresses being
> passed through a bash script, which is the only piece of the puzzle
> written my myself apart, of course, from the sanitiser.



& why would you expect bogus messages to be using an invalid sender
address (quite frankly given the difficulty in validating an email
address actually generating an invalid one must be almost as difficult)
sanitise the data you are actually processing.
if it is the sender address that is being stored & processed elsewhere
then use a registration method that requires confirmation befor it is
accepted.

--
There are few people more often in the wrong than those who cannot endure
to be thought so.

--- SoupGate-Win32 v1.05