Removing malicious things from HTML

Question

I want to display a mail which is in HTML format in a web page.

I guess there are several malicious things in HTML which I should remove before displaying the HTML to the user.

The HTML mail comes from an unknown source and could be created by a evil hacker.

What needs to be done to call "clean" HTML from unknown source?

Malicious content (like "Parental Advisory explicit contents") are not part of this question. I just want to be sure the HTML can do any harm.

score -1 · Answer 1 · answered Aug 30 '17 at 11:07

-1

You can serve html content using jquery .text() method and filter all html tags in order to remove them from final result so it does not look ugly for user.

What you are looking for is XSS protection. You will find more information about this issue here: XSS (Cross Site Scripting) Prevention Cheat Sheet

EDIT: Here you can find how to filter html tags: JavaScript: How to strip HTML tags from string? [duplicate]

answered Aug 30 '17 at 11:07

TwistedOwl

1,195
1
17
30

It's an HTML formatted email. Displaying the whole thing as source code would make most HTML emails unreadable. Stripping all the HTML out wouldn't be much better. – Quentin Aug 30 '17 at 12:46
If email can contain anything -> tables, images, complex divs and so on, then I don't see any other options. He can always write some special filter system which would look for key words/sentences and include them in output. If email contains only text such as content, date, signature etc. then I would suggest just extract desired part of an email what would be way easier but I guess that's not the case. – TwistedOwl Aug 30 '17 at 12:52
It needs a sanitising filter based on a white list of safe markup (which allows things like `
` but not things like `onmouseover`).
– Quentin Aug 30 '17 at 12:53
Yea that would work. Also he needs to exclude img tags to prevent publishing uncensored stuff. just figured it out second ago but u were faster :P – TwistedOwl Aug 30 '17 at 12:59
No need to exclude images: "Malicious content (like "Parental Advisory explicit contents") are not part of this question." – Quentin Aug 30 '17 at 12:59

score -1 · Answer 2 · answered Aug 30 '17 at 12:40

-1

When using jQuery:

use .text() to escape HTML.

When using PHP:

use htmlspecialchars() to escape HTML. Don't be afraid of HTML tags visible in the browser, they are escaped.

answered Aug 30 '17 at 12:40

Atr_Max

269
1
4
20

It's an HTML formatted email. Displaying the whole thing as source code would make most HTML emails unreadable. – Quentin Aug 30 '17 at 12:45
Thats why he should escape values, not whole E-Mails. – Atr_Max Aug 31 '17 at 07:28
That doesn't help. The data is a whole HTML formatted email. – Quentin Aug 31 '17 at 07:29

Removing malicious things from HTML

2 Answers2