diff --git a/src/com/android/email/provider/EmailMessageCursor.java b/src/com/android/email/provider/EmailMessageCursor.java
index a734bbe63..e4aa27003 100644
--- a/src/com/android/email/provider/EmailMessageCursor.java
+++ b/src/com/android/email/provider/EmailMessageCursor.java
@@ -25,6 +25,7 @@ import android.provider.BaseColumns;
 import android.util.SparseArray;
 
 import com.android.emailcommon.provider.EmailContent.Body;
+import com.android.mail.utils.HtmlSanitizer;
 import com.android.mail.utils.LogUtils;
 
 import org.apache.commons.io.IOUtils;
@@ -70,7 +71,8 @@ public class EmailMessageCursor extends CursorWrapper {
                     final Uri htmlUri = Body.getBodyHtmlUriForMessageWithId(messageId);
                     final InputStream in = cr.openInputStream(htmlUri);
                     final String underlyingHtmlString = IOUtils.toString(in);
-                    mHtmlParts.put(position, underlyingHtmlString);
+                    final String sanitizedHtml = HtmlSanitizer.sanitizeHtml(underlyingHtmlString);
+                    mHtmlParts.put(position, sanitizedHtml);
                 }
             } catch (final IOException e) {
                 LogUtils.v(LogUtils.TAG, e, "Did not find html body for message %d", messageId);
diff --git a/src/com/android/email/provider/EmailProvider.java b/src/com/android/email/provider/EmailProvider.java
index acd04b034..ce887766b 100644
--- a/src/com/android/email/provider/EmailProvider.java
+++ b/src/com/android/email/provider/EmailProvider.java
@@ -3383,6 +3383,9 @@ public class EmailProvider extends ContentProvider {
         // TODO: Should this be stored per-account, or some other mechanism?
         capabilities |= AccountCapabilities.NESTED_FOLDERS;
 
+        // sanitization happens lazily in the EmailMessageCursor as HTML email bodies are requested
+        capabilities |= UIProvider.AccountCapabilities.SANITIZED_HTML;
+
         return capabilities;
     }
 
@@ -3486,6 +3489,10 @@ public class EmailProvider extends ContentProvider {
                         UIProvider.SyncStatus.INITIAL_SYNC_NEEDED);
             }
         }
+        if (projectionColumns.contains(UIProvider.AccountColumns.ENABLE_MESSAGE_TRANSFORMS)) {
+            // Email is now sanitized, which grants the ability to inject beautifying javascript.
+            values.put(UIProvider.AccountColumns.ENABLE_MESSAGE_TRANSFORMS, 1);
+        }
         if (projectionColumns.contains(
                 UIProvider.AccountColumns.SettingsColumns.IMPORTANCE_MARKERS_ENABLED)) {
             // Email doesn't support priority inbox, so always state importance markers disabled.