I am writing a simple webmail where I want (obviously) to display the emails.
I'm wondering if I should take any precaution while displaying HTML emails: is dumping the email content into a <div> a security risk?
I'm guessing that yes since the email could contain anything (could it contain Javascript?). But then how should I proceed? How do other webmails do?
I'm thinking that stripping dangerous HTML tags would be a bad solution since it's impossible to think of all the cases.
Best Answer
Yes it is insecure and problematic in many ways:
Filtering against these things is actually the key trouble for a web mailer. Filtering is not easy as you not only have to filter out
<script>tags but also a bunch of attributes (like javascript event handlers)A plain whitelist will break too many mails, though.
What you need is to collect a huge amount of sample mails from different sources and see what elements they actually need and provide these.