How to Secure HTML email in a web application?

What is the most effective way of saniti开发者_JAVA技巧zing HTML emails displayed in a web application so that malicious code is not executable, but the html layout remains in tact?

An example of the desired functionality is the way gmail removes any script tags and delays image display.

I can use some naive regex tag stripper to try and secure the email as best I can, but what I'm looking for is a comprehensive filter that ideally sits between the client and pop server.

Does anyone have any insights into this problem?

I recommend you read the answers to Strict HTML Validation and Filtering in PHP, which asks the same question. HTML Purifier is a good starting point.

I suggest you something like http://htmlpurifier.org/ or if you use php: https://phpids.org/

Don't write your own regexp rules, they will fail! :)

To make some advertisement, if you use php, you can try my PHP Intrusion Prevention System, its Alpha but I need testers :)

http://ra23.net/wop/some_phpips/

Its a little Framework around phpids.