I want to display a mail which is in HTML format in a web page.
I guess there are several malicious things in HTML which I should remove before displaying the HTML to the user.
The HTML mail comes from an unknown source and could be created by a evil hacker.
What needs to be done to call "clean" HTML from unknown source?
Malicious content (like "Parental Advisory explicit contents") are not part of this question. I just want to be sure the HTML can do any harm.
On
You can serve html content using jquery .text() method and filter all html tags in order to remove them from final result so it does not look ugly for user.
What you are looking for is XSS protection. You will find more information about this issue here: XSS (Cross Site Scripting) Prevention Cheat Sheet
EDIT: Here you can find how to filter html tags: JavaScript: How to strip HTML tags from string? [duplicate]
When using
jQuery:use
.text()to escape HTML.When using
PHP:use
htmlspecialchars()to escape HTML. Don't be afraid of HTML tags visible in the browser, they are escaped.