What is the most effective way of sanitizing HTML emails displayed in a web application so that malicious code is not executable, but the html layout remains in tact?
An example of the desired functionality is the way gmail removes any script tags and delays image display.
I can use some naive regex tag stripper to try and secure the email as best I can, but what I'm looking for is a comprehensive filter that ideally sits between the client and pop server.
Does anyone have any insights into this problem?
I recommend you read the answers to Strict HTML Validation and Filtering in PHP, which asks the same question. HTML Purifier is a good starting point.