Does Roundcube purify HTML before sending?

ktwalrus · April 29, 2013, 02:32:38 AM

Does Roundcube purify message HTML before sending or displaying? Since Roundcube messages are shown in a browser window, I'm wondering what security measures are taken. Or, should I integrate some sort of filtering in my mail server, like running http://htmlpurifier.org/ over the HTML message bodies?

I'm new to RC.

alec · April 29, 2013, 03:12:19 AM

Roundcube does output securing when displaying a message.

ktwalrus · April 29, 2013, 11:19:14 AM

How does RC do "output securing"?

Does it purify the HTML? Does it change the HTML for suspicious messages? Or, just warn the user? Or, does it try to sandbox the display using iframes or some other HTML to encapsulate the message?

In my case, all RC emails will be originating from RC users so I'd really like to Purify the HTML on send where I can refuse to send any suspicious messages in the first place. Or, maybe set up an SMTP milter that scans messages for suspicious HTML?

I suppose it would be best to set up the milter and not worry about the mail client (like I have virus scanning running to protect the recipients).

Any advice on this?

Does Roundcube purify HTML before sending?

ktwalrus

alec

ktwalrus