0

I'm looking at using Amazon's Simple Email Service (SES) to send out some emails using their templates. However, the email templates will need to contain user entered data. In order to prevent XSS attacks, I need to escape any html or javascript in the users's data, but I can't find anything in the documentation about escaping. Does SES support escaping user data?

frodo2975
  • 10,340
  • 3
  • 34
  • 41

1 Answers1

1

As per the official documentation: https://docs.aws.amazon.com/ses/latest/dg/send-personalized-email-advanced.html

Handlebars includes additional features beyond those documented in this section. For more information, see Built-In Helpers at handlebarsjs.com.

You have to have a look at https://handlebarsjs.com/guide/expressions.html#html-escaping

David Pelayo
  • 158
  • 10
  • 1
    Additionally, as per the official documentation: ```SES doesn't escape HTML content when rendering the HTML template for a message. This means if you're including user inputted data, such as from a contact form, you will need to escape it on the client side.``` – David Pelayo Jun 29 '22 at 10:14