Reputation: 3077
How do I safely display emails in a browser, ie. only allow HTML, no javascript or outside sources?
I've searched a lot but couldn't find the appropriate solutions to allow all html except for javascript, outside sources, or any other XSS attacks. I want to be able to display user-created emails in the browser, which inherently should allow html, head, body, style, and other tags. Most topics related to XSS filtering rely on HTMLPurifier or other solutions which aren't designed for full html output.
My best solution I found thus far is to use the XSS filter in codeigniter and tweak it a bit to allow more html (like body tags). However, I'm afraid I'll accidentally allow something dangerous.
Are there any open-source solutions for what I'm trying to do? Surely it's been done before?
Upvotes: 0
Views: 496
Answers (1)
Reputation: 2077
You could use the function strip_tags([allowed tags]) Include all the tags you want to allow and leave out <script>.
Upvotes: 0
Related Questions
- How to display an HTML email in a web application?
- How can I display email in the browser securely with acure styling?
- Ensure safety before showing HTML email bodies in browser
- PHP displaying html email in a html page
- Safe markup for HTML email
- html showing in php mail
- avoid getting HTML tags in email
- display html body of emails on a website
- How to safely display HTML emails within a web app?
- Xhtml instead of Php?