current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free, no registration required.
up vote 1 down vote favorite

I am writing a simple webmail where I want (obviously) to display the emails.

I'm wondering if I should take any precaution while displaying HTML emails: is dumping the email content into a <div> a security risk?

I'm guessing that yes since the email could contain anything (could it contain Javascript?). But then how should I proceed? How do other webmails do?

I'm thinking that stripping dangerous HTML tags would be a bad solution since it's impossible to think of all the cases.

share|improve this question
    
Yes, you are right about the security risks. Why build this yourself? There are a number of open source webmail solutions available. –  dan1111 Mar 25 at 14:22
1  
@dan1111 Thanks for your comment, but I definitely don't want to go down that path of discussing whether or not I want to do what I want to do :) (I have a bit of experience of stack exchange to know it leads nowhere) –  Matthieu Napoli Mar 25 at 14:27
1  
Of course, it leads nowhere if you ask a question and arbitrarily ignore any advice ;-). This is such a complex problem that you really should pick something off the shelf. Unless, of course there is a "thou shalt not" style blockage (e.g. it's for coursework) in which case stating the fact will help avoid such comment trails. –  Rob Baillie Mar 25 at 14:34
1  
@MatthieuNapoli, fair enough. But think of it from the opposite perspective: why should people spend time helping solve a problem that has a solution freely available? A lot of questions on SO arise from attempts to reinvent the wheel. If you want to head off this kind of criticism, having your question say why you want to do this would help. –  dan1111 Mar 25 at 16:27

2 Answers 2

up vote 0 down vote

The basic problem is that you are asking the end user to place the same trust they give your web domain to the content of the HTML email, the content of which, you have limited control over.

The only safe way that I know for sure is reliable is to strip the HTML email down to pure and simple text and text formatting options such as p, em tags. Although this is hardly what people would consider HTML email.

Start allowing anything beyond presentational tags and you are making assumptions that you know more about how these tags can be misused than the mal-ware writers. And believe me, that is a brave claim for anyone to make.

share|improve this answer
up vote 4 down vote

Yes it is insecure and problematic in many ways:

  • JavaScript inside the mail could hijack the session (XSS) or do other things
  • CSS in the mail could break your layout
  • Images and other resources loaded from remote sites can e used for tracking and thus have privacy issues
  • Links in mails might carry private info in the referrer

Filtering against these things is actually the key trouble for a web mailer. Filtering is not easy as you not only have to filter out <script> tags but also a bunch of attributes (like javascript event handlers)

A plain whitelist will break too many mails, though.

What you need is to collect a huge amount of sample mails from different sources and see what elements they actually need and provide these.

share|improve this answer
    
Not to mention that links in e-mails may be phishing links. Depends entirely on how "safe" OP would like to be. –  Neil Mar 25 at 14:30
    
Thank you for the answer. I'm surprised it's such a problem, there are so many mail clients how do they all do if that is so complex? And I mean "Safe" like any other webmail (i.e. not necessarily the safest in the world). Phishing/beacons are out of scope (for my question at least), I'm not focusing on privacy or human error-related risks (yet). –  Matthieu Napoli Mar 25 at 14:40
2  
Some limit to plain text or very limited HTML, many are broken :-/ –  johannes Mar 25 at 14:44
    
@MatthieuNapoli Many of them are not so safe. The ones that are (relatively speaking), have spent significant effort to become so. –  Eric King Mar 25 at 14:48
1  
@GlennNelson hopefully no mail client executes javascript, but the question was about "dumping the email content into a <div>". Simply dumping the HTL mail in a <div> in a web mailer will execute javascript which is embedded in a mail. –  johannes Mar 25 at 15:54

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.