+ Start a Discussion

Displaying HTML and passing security risks

We have a field where the user can submit HTML (needs to be HTML, not the rich text field). We want to be able to display this HTML as a preview to what they might see when it's sent in an email.

How can we display the HTML in the page (an iframe) in a way that will be acceptable to the Salesforce security team? If we use outputText with the escape attribute set to false, we will come across some security failures so this is no good to us.