---
title: Sanitize Input Before Sending Emails
impact: MEDIUM
impactDescription: prevents email header injection
tags: email, injection, sanitization, input-validation, security, csharp
---

## Sanitize Input Before Sending Emails

Email header injection allows attackers to inject headers (Bcc, From) by including CRLF characters in input fields.

**Incorrect (unsanitized inputs):**

```csharp
// Vulnerable to Header Injection
var message = new MailMessage();
message.Subject = userInput; // "Subject\r\nBcc: victim@example.com"
```

**Correct (sanitized email fields):**

```csharp
public string SanitizeEmailHeader(string input)
{
    if (string.IsNullOrEmpty(input)) return input;
    // Remove newlines to prevent header injection
    return Regex.Replace(input, @"[\r\n]", ""); // Simple removal
}

var message = new MailMessage();
message.Subject = SanitizeEmailHeader(userInput);
message.Body = userInput; // Body is usually safe from header injection, but beware XSS if HTML
```

**Tools:** Security Code Scan, SonarQube