15

I wrote a web application that fetches email via IMAP. I now need to display these emails to the user. I thought it would be simple (I am displaying HTML within an HTML-capable browser) until I looked into this a little... and discovered that there are tons of issues, such as:

  • Javascript & security
  • Style breaking
  • Surely more

Is there a good, safe way to display an HTML email? I would err for "safe" rather than "gorgeous", even though I don't want to display just the text version of an email (which is not even guaranteed to be there anyway...)

I realise the most obvious answer is "put everything in a frame" -- is that really it though? Will it actually work?

I am using Node server side if it helps...

Merc
  • 16,277
  • 18
  • 79
  • 122

1 Answers1

15

..most obvious answer is "put everything in a frame"...will it actually work?

Yes, e.g. Whiteout Networks GmbH's WHITEOUT.IO does it in /src/tpl/read.html and /src/js/controller/read-sandbox.js. Some of the security issues are handled by DOMPurify

..there are tons of issues..Is there a good, safe way..?

I know the message data format also under names EML or MHTML so looking for a good "XY to HTML converter" or "HTML5 document viewer with XY support" may point you to a usable results (e.g. GroupDocs.Viewer)

Some e-mail clients (e.g. GMail) don't use iframe, instead they use a mail parser (e.g. andris9/mailparser) and a HTML parser (e.g. cheeriojs/cheerio) to extract an e-mail-safe-html subset (see Stack Overflow: What guidelines for HTML email design are there? and Stack Overflow: Styling html email for GMail for some examples) or use a HTML sanitizer (e.g. Google's Caja, cure53/DOMPurify) and embed the code directly into the page.

But it is not always an easy thing, there is no consensus on what constitutes the e-mail-safe-html subset and you certainly don't wont to inline possibly infected attachments nor run anonymous CORS scripts within the secured user's session.

Anyway, as always, studying source code of various e-mail clients (see Wikipedia: Comparison of email clients) is the way to find out..

xmojmr
  • 8,073
  • 5
  • 31
  • 54
  • 2
    Will accept the answer as long as it mentions Google's Caja https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer which was the key to the solution of my problem – Merc Nov 21 '14 at 23:33
  • @Merc in that case you can accept your own http://stackoverflow.com/help/self-answer and upvote mine if it brings something useful – xmojmr Nov 22 '14 at 07:33
  • your answer is amazing and I think it should be the accepted one! Please just add a quick reference to caja, that's all! – Merc Nov 22 '14 at 11:11
  • @Merce done. Still, if you already know what is the answer and what actually works for you in your application then publishing a practical self-answer might be useful for future readers – xmojmr Nov 22 '14 at 12:20
  • 2
    The Google Caja Compiler project has now moved to here: https://developers.google.com/caja/ – Søren Pedersen Sep 06 '19 at 08:24