Soreine
commented
4 years ago Actually, I realized that we do not need to use DOMPurify.
What we need is just to protect from XSS
Since emails are static HTML, we can protect from XSS by disabling JavaScript execution, and displaying the email in a sandbox environment.
DOMPurify is made to sanitize HTML that is run in a JS-enabled context. So it is extremely restrictive in order to be safe. For example, it removes <link> and <meta> tags, which we need to display emails correctly, but could be used to inject scripts. I initially started to write exceptions, but then it becomes insecure because we cannot reasonably manage all security issues that could arise from them.
See #7