Instead of removing it, the following fix might work:
The admin side can stores html in some other tables (e.g. product description), and the reason is, the admin side zen_db_prepare_input does NOT include a zen_sanitize_string.
If we added an HTML safe zen_db_prepare_input to catalog side, and used that when preparing $email_html in zen_mail_archive_write, it would fix this problem.
I am just uncertain if it would introduce a security issue. I suspect not, but I am not certain.
Bookmarks