Raw HTML
Untrusted email HTML from Gmail API
Input
DOMPurify
Sanitize: remove scripts, handlers, dangerous nodes
Sanitize
Scoped Styles
Prefix CSS selectors with container class
Scope
Sandboxed Iframe
Isolated rendering context via srcdoc
Render
Step 1
Raw HTML Input
Gmail API returns full MIME-decoded HTML with inline styles, style tags, and table-based layouts
<table width="600">
Step 2
DOMPurify Sanitize
Parse HTML into DOM tree, walk nodes, remove script tags, event handlers, and form elements
DOMPurify.sanitize(html)
Step 3
Style Scoping
Prefix every CSS selector in style tags with container class to prevent style leakage
.email-body a {}
Step 4
Iframe Isolation
Render via srcdoc in sandboxed iframe with ResizeObserver for dynamic height
sandbox="allow-same-origin"