We automatically remove unsupported scripts from HTML emails to protect our users from harm. Unsupported scripts can be used to execute malicious code, such as viruses and spyware. We are committed to providing a safe and secure email experience for our users, and removing unsupported scripts is one way we do that.
Why Was My HTML Content Modified?
When using our email-sending application, you may have noticed that certain HTML content, such as <script> tags, is automatically removed or modified. We want to ensure the security and compatibility of our email service, and this document explains why and how we handle HTML content.
Security and Compatibility Concerns
1. Script Tags (<script>)
Why We Modify Them: <script> tags can execute arbitrary code, which poses a security risk in email content. To protect our users, we automatically remove or modify <script> tags.
2. Whitelisted Tags and Attributes
We have a predefined list of HTML tags and attributes that are whitelisted and allowed in email content. These tags and attributes are carefully chosen to ensure compatibility with email clients and maintain security.
Here is the list of whitelisted HTML tags:
<a>
<abbr>
<address>
<area>
<article>
<aside>
<b>
<base>
<bdi>
<bdo>
<big>
<blockquote>
<body>
<br>
<button>
<canvas>
<caption>
<center>
<cite>
<code>
<col>
<colgroup>
<data>
<datalist>
<dd>
<del>
<details>
<dfn>
<dialog>
<div>
<dl>
<dt>
<em>
<fieldset>
<figure>
<font>
<footer>
<form>
<h1>
<h2>
<h3>
<h4>
<h5>
<h6>
<head>
<header>
<hgroup>
<hr>
<html>
<i>
<img>
<input>
<ins>
<kbd>
<keygen>
<label>
<legend>
<li>
<link>
<main>
<map>
<mark>
<menu>
<menuitem>
<meta>
<meter>
<nav>
<noscript>
<object>
<ol>
<optgroup>
<option>
<output>
<p>
<param>
<pre>
<progress>
<q>
<rb>
<rp>
<rt>
<rtc>
<ruby>
<s>
<samp>
<section>
<select>
<small>
<source>
<span>
<strong>
<strike>
<style>
<sub>
<summary>
<sup>
<table>
<tbody>
<td>
<template>
<textarea>
<tfoot>
<th>
<thead>
<time>
<title>
<tr>
<track>
<u>
<ul>
<var>
<wbr>Note: Specific attributes allowed for certain tags are listed in code comments.
Encoding Non-Whitelisted Tags
When working with HTML content in our application, it's important to be aware of our whitelist of allowed HTML tags. Our whitelist is designed to ensure both compatibility and security. If your HTML content includes tags that are not on this whitelist, our application will take automatic measures to safeguard your emails.
Specifically, any tags that are not on the whitelist will be HTML-encoded. This process involves converting the tags into a format that renders them as plain text within the email, rather than executing them as HTML elements. This approach is essential to prevent potential security vulnerabilities and maintain the integrity of your email communications.