Closed nicholaschiang closed 3 years ago
Some StackOverflow answers on how to safely parse and display HTML emails:
Ideally, we'd want to just do what Gmail does: embed a safe "bleached" version of the HTML email directly into the DOM. To do this, we need a secure way to sanitize the email HTML and ensure that it is safe to embed directly. There are a couple of popular libraries for this (because we definitely should not build this ourselves):
SafeHTML
utilities we could use to sanitize HTML emails before embedding them directly into the DOM. This is probably what Gmail uses.Once we sanitize the HTML emails, we will probably want to take that a step further and, instead of embedding them directly into the DOM, we should place them within a sandboxed iframe
and implement a strict CSP to prevent XSS attacks.
This issue itself would be easily solved using a DOMPurify
hook:
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
// open all links in a new window
if ('target' in node) {
node.setAttribute('target', '_blank');
}
});
Some more packages reviewed by this article on preventing XSS attacks:
Similar to what Gmail already does, we should modify all the links within an HTML email to open in a new tab. We should also take care of any security concerns like tabnabbing by using
rel
attributes:See this original Notion issue from @jurajpal or @martinsrna (I'm not sure).