Refs #35514 -- Moved EmailMessage class up in email docs.

medmunds · nessita · commit 8f3642036426 · 2026-04-15T09:26:53.000-03:00
Moved the "Preventing header injection" discussion below sections on
EmailMessage and related classes.
diff --git a/docs/topics/email.txt b/docs/topics/email.txt
@@ -265,54 +265,6 @@ setting.
     Older versions ignored ``fail_silently=True`` when a ``connection``
     was also provided. This now raises a ``TypeError``.
 
-Preventing header injection
----------------------------
-
-`Header injection`_ is a security exploit in which an attacker inserts extra
-email headers to control the "To:" and "From:" in email messages that your
-scripts generate.
-
-The Django email functions outlined above all protect against header injection
-by forbidding newlines in header values. If any ``subject``, ``from_email`` or
-``recipient_list`` contains a newline (in either Unix, Windows or Mac style),
-the email function (e.g. :func:`send_mail`) will raise :exc:`ValueError` and,
-hence, will not send the email. It's your responsibility to validate all data
-before passing it to the email functions.
-
-If a ``message`` contains headers at the start of the string, the headers will
-be printed as the first bit of the email message.
-
-Here's an example view that takes a ``subject``, ``message`` and ``from_email``
-from the request's POST data, sends that to ``admin@example.com`` and redirects
-to "/contact/thanks/" when it's done::
-
-    from django.core.mail import send_mail
-    from django.http import HttpResponse, HttpResponseRedirect
-
-
-    def send_email(request):
-        subject = request.POST.get("subject", "")
-        message = request.POST.get("message", "")
-        from_email = request.POST.get("from_email", "")
-        if subject and message and from_email:
-            try:
-                send_mail(subject, message, from_email, ["admin@example.com"])
-            except ValueError:
-                return HttpResponse("Invalid header found.")
-            return HttpResponseRedirect("/contact/thanks/")
-        else:
-            # In reality we'd use a form class
-            # to get proper validation errors.
-            return HttpResponse("Make sure all fields are entered and valid.")
-
-
-.. versionchanged:: 6.0
-
-    Older versions raised ``django.core.mail.BadHeaderError`` for some
-    invalid headers. This has been replaced with :exc:`!ValueError`.
-
-.. _Header injection: http://www.nyphp.org/phundamentals/8_Preventing-Email-Header-Injection.html
-
 .. _emailmessage-and-smtpconnection:
 
 The ``EmailMessage`` class
@@ -649,6 +601,54 @@ example::
     msg.content_subtype = "html"  # Main content is now text/html
     msg.send()
 
+Preventing header injection
+---------------------------
+
+`Header injection`_ is a security exploit in which an attacker inserts extra
+email headers to control the "To:" and "From:" in email messages that your
+scripts generate.
+
+The Django email functions outlined above all protect against header injection
+by forbidding newlines in header values. If any ``subject``, ``from_email`` or
+``recipient_list`` contains a newline (in either Unix, Windows or Mac style),
+the email function (e.g. :func:`send_mail`) will raise :exc:`ValueError` and,
+hence, will not send the email. It's your responsibility to validate all data
+before passing it to the email functions.
+
+If a ``message`` contains headers at the start of the string, the headers will
+be printed as the first bit of the email message.
+
+Here's an example view that takes a ``subject``, ``message`` and ``from_email``
+from the request's POST data, sends that to ``admin@example.com`` and redirects
+to "/contact/thanks/" when it's done::
+
+    from django.core.mail import send_mail
+    from django.http import HttpResponse, HttpResponseRedirect
+
+
+    def send_email(request):
+        subject = request.POST.get("subject", "")
+        message = request.POST.get("message", "")
+        from_email = request.POST.get("from_email", "")
+        if subject and message and from_email:
+            try:
+                send_mail(subject, message, from_email, ["admin@example.com"])
+            except ValueError:
+                return HttpResponse("Invalid header found.")
+            return HttpResponseRedirect("/contact/thanks/")
+        else:
+            # In reality we'd use a form class
+            # to get proper validation errors.
+            return HttpResponse("Make sure all fields are entered and valid.")
+
+
+.. versionchanged:: 6.0
+
+    Older versions raised ``django.core.mail.BadHeaderError`` for some
+    invalid headers. This has been replaced with :exc:`!ValueError`.
+
+.. _Header injection: http://www.nyphp.org/phundamentals/8_Preventing-Email-Header-Injection.html
+
 .. _topic-email-backends:
 
 Email backends
