"This HTML message has been sanitized for your security"

What’s the exact meaning of this message: “This HTML message has been sanitized for your security” ?
It can be displayed when opening an email in HTML mode.
What actions have been taken to sanitize it?
Are they related to security only, or (also?) to unexpected formatting for example?

The filtering relates to security, but it could affect formatting too. I’ll get a more technical answer for you on this so that we can be clearer on what is actually being done.

You can use a service like https://www.emailprivacytester.com/ to see what is being doing with these messages. To use that website you enter your email address and then confirm your address with the email you will get in reply.

You will then receive an email from the website again, and whenever you open the HTML version in an email client or our web app it will send results to the website detailing which HTML elements were not filtered by reading the email. You can repeatedly open the same message in different interfaces (e.g. an email client, RMM6, Runbox 7 beta) and the web page will automatically update to show which HTML elements were not filtered.

Please read the Privacy Policy of that website before using it, as Runbox is not responsible for external websites.


The email privacy tester is a nice test tool, but that does not explain what Runbox does to ‘sanitize’ an HTML message. I would like to see some code, or at least a list of elements tested, for what RMM6 does and what R7 does.

As I stated in another thread, I think the RMM6 approach is an excellent “default”.

I believe that website was used when developing the HTML filtering in Runbox 7, and therefore if it shows an item as filtered, then that is what the code is doing. The items appearing in the tests are what we are filtering for (or not) as indicated in the test results.

This answer is suitable for me.
And I thank RB7 for indicating that something has been done, instead of doing it without notification.

A related question: is there any change to the message itself or is this “sanitization” only dynamically made everytime the message is open in HTML mode?
Or in other words: if the message is displayed in a client email, does it receive the original untouched message or the sanitized one?

The original email source code itself in your account is untouched. This is purely a Runbox 7 HTML viewer operation and is done each time you open a message. An email client will download the original source and choose for itself how to display the message (according to your client settings of course).

What it means practically is that sometimes it is impossible to see images! Can you please add a show image option, so we can take our chances?

There is now a button to show the original HTML message at the far right of the message toolbar.

– Geir

But clicking it does not always show images


Got a newsletter today. Takes 30 seconds to load each time. In general, viewing an email in HTML is always quite fast.

The reason for images in a message not loading could be that they are served insecurely without SSL from the source.

Try opening the image in a new tab and check whether the URL starts with http instead of https.

One way to resolve this issue could be for Runbox to download such images to our servers and then serve them over SSL.

– Geir

1 Like