117 – Do not interpret HTML code

Summary

The client of business emails must not display HTML code by default.

Description

This security practice may impact the visual appearance of legitimate HTML formatted emails. Organizations must implement this measure to provide users with the ability to enable HTML display selectively for trusted sources.

Supported In

Essential: True

Advanced: True

References

• CAPEC-242. Code injection
• CWE-80. Improper neutralization of script-related HTML tags in a web page (basic XSS)
• OWASP10-A3. Injection

Weaknesses

• 114 – Phishing
• 043 – Insecure or unset HTTP headers - Content-Security-Policy

Last updated

2024/01/18