Is there a risk of injection using mail function

Hi I'm developing a contact form. I'm using the mail function to email it over to the webmaster.

Is there a risk someone could inject malicious javascript and any othe开发者_如何学编程r injection attack?

$to = (this is from config xml file)
$message = $_POST['message'];
mail($to ,'feedback',$message);

Only if you set the content type to text/html

If registers globals are ON (which should NOT be) there is a (huge) risk of injection (depending on where $to is really set).

Also as David pointed out you could sanitize $_POST['message'] if you use HTML messages (maybe with htmlspecialchars).