This article describes the filtering in Microsoft Outlook Web Access for Microsoft Exchange Server 2003 that helps protect you from malicious script that can be included in HTML-formatted e-mail messages or attachments. The filtering that was introduced in Outlook Web Access for Exchange Server 2003 is known as "Safe HTML" filtering. This article also provides a workaround for sharing files that are removed by the "Safe HTML" filtering feature.
Note For information about an update to the Safe HTML filtering feature, see the following Microsoft Knowledge Base article:
912939 A software update for the Safe HTML filtering feature is available to enable you to use the POST method in HTML forms in Outlook Web Access for Exchange Server 2003
"Safe HTML" filtering was introduced in Outlook Web Access for Exchange Server 2003 to help protect users from malicious script and from certain HTML elements. The malicious script or the HTML element may run when the recipient opens the e-mail message or the attachment. Alternatively, the malicious script or the HTML element may run when the recipient takes an action such as clicking a link that is in the e-mail message.
Outlook Web Access filters out all potentially unsafe content from the e-mail message or from the attachment. Outlook Web Access also removes all scripts and elements or attributes that can reference a script. HTML forms and some other kinds of elements are also affected by the "Safe HTML" modifications that are made by Outlook Web Access.
The filtering in Outlook Web Access for Exchange Server 2003 is more rigorous than the filtering in Microsoft Office Outlook 2003. The reason is that the Outlook Web Access browser interface has more security requirements than the Outlook 2003 interface. Even if an e-mail message appears to be unmodified in Outlook 2003, that same e-mail message may be missing content when you view the message in Outlook Web Access.
The "Safe HTML" features in Outlook Web Access for Exchange Server 2003 may sometimes cause one or more of the following:
The loss of structure of the e-mail message
The loss of advanced functionality
The loss of some non-malicious content in e-mail messages or in attachments
However, the "Safe HTML" features help provide a safer e-mailing environment for users.
If you must share non-malicious content that is removed by Exchange Server 2003, there are some methods that you can use to work around this issue. For example, you can use the following method:
Post the file attachment to a secure network share to which the recipients have access. Or, grant the recipients the required access to the network share to which you post the file. In the e-mail message, you can include a link to the network share and to the file.
For more information about how to configure Outlook Web Access for Exchange Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
830827 How to manage Outlook Web Access features in Exchange Server 2003