How to safely display HTML emails within a web app?

Question

Within a C# / ASP.NET MVC web app, I would like to display HTML emails received from untrusted sources. Does anyone know if there are known best practices (or even tools) to do in a "safe" way. As far I understand, most webmails perform extensive preprocessing (disabling image links, removing scripts etc).

Is there anything simple to be done better than just displaying the email as text only?

Answer 1

Joannes,

The easiest thing to do would be to use the Web Protection Library's whitelisting service to filter out potentially malicious HTML: http://wpl.codeplex.com/

As for implementing more sophisticated client behavior, such as blocking images from unknown sources unless the user authorizes it, you might want to try implementing something along these lines:

1. Don't pass full <img src="{URI}" /> tags back to the client - instead push an image with a unique ID attribute and have it src to a default "cannot display image" icon instead.
2. Add a button or some other UI control where a user can give their explicit consent to display images for this method.
3. Build an action method on your email viewing controller which returns a JsonResult with a dictionary that contains the ID of the image along with its src value.
4. Write a JavaScript method that will call the action method and swap the appropriate src values back into place upon recieving the JsonResult from your action method.

Hope this helps!