Joannes
The easiest way would be to use the White List service in web protection to filter out potentially harmful HTML: http://wpl.codeplex.com/
As for the implementation of more complex client behavior, for example, blocking images from unknown sources, if the user does not allow it, you can try to implement something in these lines:
- Do not pass the
<img src="{URI}" /> tags back to the client - instead, click on the image with a unique identifier attribute and set its default src to "do not display image". - Add a button or other user interface control where the user can give their explicit consent to display images for this method.
- Create an action method on the email view controller that returns a JsonResult with a dictionary that contains the image identifier along with its src value.
- Write a JavaScript method that will call the action method and replace the corresponding src values โโin place after receiving the JsonResult from your action method.
Hope this helps!