Message Body property will filter unsafe HTML by default

Microsoft Graph team

We are making a change in what is returned by default in the Message Body property.

By default, we will strip any potentially unsafe HTML content from the Body of the Message or Post entity if the ContentType is HTML.

Here is an example of potentially unsafe HTML in the message body and below it you can see the filtered body.

Unfiltered HTML body

 "Body": { 
   "ContentType": "HTML", 
   "Content": "<html><body><b>Bold</b><script>alert('Alert!');</script></body></html>"

Filtered HTML body

 "Body": {
   "ContentType": "HTML",
   "Content": "<html><body><b>Bold</b></body></html>"

If you require the un-filtered content, you can continue to get it by providing the following HTTP request header.

 Prefer: outlook.allow-unsafe-html

By default, if the Prefer header is not present, the API will return filtered HTML. The API will only return the unfiltered (and potentially unsafe) HTML if the header is present and set to outlook.allow-unsafe-html.

This change is being rolled out in our production service and will be widely deployed over the next few weeks.

If you have any questions please reach out to us on Stack Overflow using the outlook-restapi tag.

Feedback usabilla icon