From a09ad454a06b158f728fa9dc8dd71978f99ef367 Mon Sep 17 00:00:00 2001
From: Dave Lawrence <davmlaw@gmail.com>
Date: Thu, 2 Apr 2026 13:14:44 +1030
Subject: [PATCH] email_manager - render email body in sandboxed iframe

Prevents stored XSS by rendering email HTML content inside a sandboxed
iframe (srcdoc) rather than injecting it directly into the page DOM.
---
 email_manager/templates/email_detail.html | 2 +-
 email_manager/templates/email_pure.html   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/email_manager/templates/email_detail.html b/email_manager/templates/email_detail.html
index 8fc9d0a16..b2f9ca36e 100644
--- a/email_manager/templates/email_detail.html
+++ b/email_manager/templates/email_detail.html
@@ -19,5 +19,5 @@
 <label class="my-4">Content</label>:
 <a href="{% url 'email_pure' email.pk %}">See in stand-alone window with accurate styling</a>
 <div class="border rounded p-4" style="background-color:#fdfdfd">
-{{ email.html | safe }}
+    <iframe srcdoc="{{ email.html | escape }}" sandbox style="width:100%; height:600px; border:none;"></iframe>
 </div>
\ No newline at end of file
diff --git a/email_manager/templates/email_pure.html b/email_manager/templates/email_pure.html
index c13ed2aab..039069263 100644
--- a/email_manager/templates/email_pure.html
+++ b/email_manager/templates/email_pure.html
@@ -4,6 +4,6 @@
     Subject: {{ email.subject }}<br/>
 
     <div style="padding:30px; margin-top: 20px; border: 1px solid #444; border-radius: 10px;">
-        {{ email.html | safe }}
+        <iframe srcdoc="{{ email.html | escape }}" sandbox style="width:100%; height:800px; border:none;"></iframe>
     </div>
 </div>
\ No newline at end of file