All geek questions in one place

How to display HTML email in a web application?

I wrote a web application that receives email through IMAP. Now I need to display these letters to the user. I thought it would be simple (I display HTML in an HTML-enabled browser) until I look at it a bit ... and find that there are many problems, such as:

  • Javascript and security
  • Style violation
  • Of course more

Is there a good safe way to display HTML emails? I would be mistaken for “safe” and not “magnificent”, although I do not want to display only the text version of the letter (which is not even guaranteed to be there ...)

I understand that the most obvious answer - “put everything in a frame” - is this true? Will this really work?

I use Node backend if that helps ...

+11
source share
1 answer

... the most obvious answer: “put everything in a frame” ... will this actually work?

Yes, for example, Whiteout Networks GmbH WHITEOUT.IO does this in /src/tpl/read.html and /src/js/controller/read-sandbox.js . Some of the security issues are resolved with DOMPurify.

..there are tons of issues..Is there a good, safe way ..?

I know the message data format also under the names EML or MHTML , so searching for a good “XY to HTML converter” or “XY-enabled HTML5 document viewer” may indicate usability of the results (for example, GroupDocs.Viewer )

Some email clients (like GMail) don't use iframe , instead they use a mail parser (like andris9 / mailparser ) and an HTML parser (like cheeriojs / cheerio ) to retrieve a subset of e-mail-safe-html (see Stack overflow: what are the recommendations for HTML email formatting? and Stack: styling HTML emails for GMail for some examples) or use an HTML sanitizer (like Google Caja , cure53 / DOMPurify ) and paste the code directly onto the page.

But this is not always easy, there is no consensus on what constitutes a subset of e-mail-safe-html, and of course you do not want to embed potentially infected attachments or run anonymous CORS scripts inside a secure user session.

In any case, as always, studying the source code of various email clients (see Wikipedia: Comparing email clients ) is a way to find out.

+10
source

Source: https://habr.com/ru/post/977055/

More articles:


All Articles