The HTML viewer injects email HTML into an iframe after stripping only <script> tags, and the Streamlit app renders HTML bodies directly with st.components.v1.html. That leaves room for unsafe markup, external resources, and generally unpredictable rendering. Even for an offline tool, sanitization and sandboxing would be a good improvement.
The HTML viewer injects email HTML into an iframe after stripping only <script> tags, and the Streamlit app renders HTML bodies directly with st.components.v1.html. That leaves room for unsafe markup, external resources, and generally unpredictable rendering. Even for an offline tool, sanitization and sandboxing would be a good improvement.