Hi Benjamin, thanks for your answer. IYou misunderstood me. I'm stating that the current Rails way of doing that is error prone and subject to encoding errors and even injection. My reference to StackOverflow is to show it's something that a lot of developers face every day, the accepted answer is wrong, and - this is disturbing - the official guides seem to endorse the wrong way of doing that.
The code you pasted right from the docs is also wrong as it suggests to perform an unsafe operation no different to suggesting to use <%= user.name.html_safe %> and not <%= user.name %>). It's just like one of the StackOverflow answers that I described as "wrong". The only *safe* way is to use Mail::Address#format. Just imagine what happens if user.name contains a double-quote. Answer: no e-mail gets delivered as From field doesn't follow the RFC. The worst-case scenario is when user.name is Nowak" <[email protected]>, "original. This is like SQL injection, but e-mail From injection. The trick to doing that is to format the email address in the format "Full Name <email>" *but you should never put user input to full name or e-mail *(e.g. try #{user.email})*. *Everything has to be correctly encoded with an appropriate encoder to prevent broken encoding or injection. Talk is cheap. Here's a demo of a successful injection: class AdminMailer < ActionMailer::Base default from: '[email protected]' def welcome_email(user) @user = user email_with_name = %("#{@user.name}" <#{@user.email}>) # EXACT COPY-PASTE FROM DOCS mail(to: email_with_name, subject: 'Welcome to My Awesome Site') end end class TestUser attr_accessor :email attr_accessor :name end user = TestUser.new user.name = 'Nowak" <[email protected]>, "original' user.email = '[email protected]' email = AdminMailer.welcome_email(user) What will this return? # => #<Mail::Message:71665960, Multipart: false, Headers: <From: [email protected]>, <To: "Nowak" <[email protected]>, "original" <[email protected]>>, <Subject: Welcome to My Awesome Site>, <Mime-Version: 1.0>, <Content-Type: text/html>> Let's deliver it. Does that make sense now? Thanks Damian Nowak On Sun, Dec 6, 2015 at 10:32 AM, Benjamin Fleischer <[email protected]> wrote: > I think this is an example of stackoverflow-driven development. Unless I > misunderstand you, the answer you seek is already in the Rails guides > http://guides.rubyonrails.org/action_mailer_basics.html#sending-email-with-name > > I added this link to the stackoverflow question. Generally, any question > from 2009 should be ignored. > > 2.3.4 Sending Email With Name > > Sometimes you wish to show the name of the person instead of just their > email address when they receive the email. The trick to doing that is to > format the email address in the format "Full Name <email>". > def welcome_email(user) > @user = user > email_with_name = %("#{@user.name}" <#{@user.email}>) > mail(to: email_with_name, subject: 'Welcome to My Awesome Site') > end > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ruby on Rails: Core" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-core/Fyjf-o7KTtQ/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
