Message Body property will filter unsafe HTML by default

We are making a change in what is returned by default in the Message Body property.

By default, we will strip any potentially unsafe HTML content from the Body of the Message or Post entity if the ContentType is HTML.

Here is an example of potentially unsafe HTML in the message body and below it you can see the filtered body.

Unfiltered HTML body

 "Body": { 
  "ContentType": "HTML",
  "Content": "<html><body><b>Bold</b><script>alert('Alert!');</script></body></html>"

Filtered HTML body

 "Body": {
  "ContentType": "HTML",
  "Content": "<html><body><b>Bold</b></body></html>"

If you require the un-filtered content, you can continue to get it by providing the following HTTP request header.

 Prefer: outlook.allow-unsafe-html

By default, if the Prefer header is not present, the API will return filtered HTML. The API will only return the unfiltered (and potentially unsafe) HTML if the header is present and set to outlook.allow-unsafe-html.

This change is being rolled out in our production service and will be widely deployed over the next few weeks.

If you have any questions please reach out to us on Stack Overflow using the outlook-restapi tag.

Comments (8)

  1. Jeremy says:

    Any plan to expose tasks throught the new unified REST API ?

  2. Hi Jeremy, are you asking about outlook tasks?

  3. Jeremy says:

    Yes 😉

  4. Jeremy says:

    Yes I'm asking about Outlook tasks 😉

  5. Hi Jeremy, it is in our roadmap but no specific timeline that I can share as of yet.

  6. Matt Frewin says:

    Hi, Do you know if there is a way to strip out any HTML – so just the text-version of the email is returned?

  7. Alexey says:

    Hi Jason, is there a way to request a plain text content for Body?
    In EWS there is a property for it, in addition to the html version.

    I see, Matt has already asked a similar question.


  8. Galaxy Star says:

    Will this be auto update or could I get a download

Skip to main content