How to safely display HTML emails within a web app?

Within a C# / ASP.NET MVC web ap开发者_如何转开发p, I would like to display HTML emails received from untrusted sources. Does anyone know if there are known best practices (or even tools) to do in a "safe" way. As far I understand, most webmails perform extensive preprocessing (disabling image links, removing scripts etc).

Is there anything simple to be done better than just displaying the email as text only?

Joannes,

The easiest thing to do would be to use the Web Protection Library's whitelisting service to filter out potentially malicious HTML: http://wpl.codeplex.com/

As for implementing more sophisticated client behavior, such as blocking images from unknown sources unless the user authorizes it, you might want to try implementing something along these lines:

1. Don't pass full <img src="{URI}" /> tags back to the client - instead push an image with a unique ID attribute and have it src to a default "cannot display image" icon instead.
2. Add a button or some other UI control where a user can give their explicit consent to display images for this method.
3. Build an action method on your email viewing controller which returns a JsonResult with a dictionary that contains the ID of the image along with its src value.
4. Write a JavaScript method that will call the action method and swap the appropriate src values back into place upon recieving the JsonResult from your action method.

Hope this helps!