Reputation: 13536
How to dynamically insert html which may contain link and script tags?
I am using jQuery to build a web pages which displays emails. The emails are read from a REST service and can be in plain text and or html.
So far, all the mails I've tested which are in html format have just body content - i.e. no <html> or <head> or <body>. Today I got a mail in html format which had a whole document. The head and body tags get filtered out (by the browser presumably) but my problem is that the styles used by the mail are fetched from the sender's web site.
These raises a whole set of questions about security etc. Should my app allow such links at all? Should I extract the link and script tags and insert them in my page head?
Is there another solution similar to iframe?
Upvotes: 2
Views: 236
Answers (3)
Reputation: 1219
An iFrame provides very few isolation - at least it isolates css styles... -, actually. XSS can happens without script. In addition script is executed on the client-side. What can it do, maybe displaying porn, or unfair things, or steal local infos ? local Storage ? displaying html is really so few dangerous for your system. XSS works in forms, forms are targetted cause - behind - there is database processes. But if you only display html, omg, you can keep it cool. Just remove script cause there is no reason for having script in a mail
And no need to feel affraid cause anyone talks about SQL injection, XSS and so third. Stating there is no form, no ajax, in your case, this is ridiculous, sorry, to answer there is risks. You have nothing to fear in displaying HTML. Save your time.
Upvotes: 0
Reputation: 4712
I think you should use an iframe to show the contents of your mail. This way you can rely on browser security features and mitigate XSS vulnerabilities.
The service sending your HTML content should strip script tags and also set the content-security-policy header to disable inline-scripts.
Even if you want to allow script execution within an email (which I don't assume), an iframe provides better isolation than injecting the mail content into your own DOM.
Upvotes: 1
Reputation: 1219
You should really reject the scripts.
Anyway, of course you can dynamically load/fill an iframe. Simply update its src. iFrame is not a security insurance thought.
Note : your question is not a code issue. Should not be posted here IMO.
Upvotes: 0
Related Questions
- Creating email link with dynamically generated body with html5 & javascript
- Google script inject html into html email
- Insert javascript variables into a href link within a transactional email
- Is it possible to insert a dynamic link into an email using only JavaScript and no HTML? (Using Google Script to sent the email)
- How to add html <br> tags into javascript
- jquery adding a mail link
- How can i send email with dynamic html content?
- how to add html in a email body using javascript?
- How to embed functionality into HTML email?
- Dynamic HTML content in E-Mails