diff --git a/mail/inc/class.mail_compose.inc.php b/mail/inc/class.mail_compose.inc.php
index 09a0c2e590..820d1bb3c6 100644
--- a/mail/inc/class.mail_compose.inc.php
+++ b/mail/inc/class.mail_compose.inc.php
@@ -1756,7 +1756,7 @@ class mail_compose
 			}
 		}
 		//error_log(__METHOD__.__LINE__.'->'.array2string($attachment));
-		html::content_header($attachment['name'], $attachment['type'], 0, True, $_GET['mode'] == "save");
+		html::safe_content_header($attachment['attachment'], $attachment['name'], $attachment['type'], $size=0, true, $_GET['mode'] == "save");
 		echo $attachment['attachment'];
 
 		common::egw_exit();
diff --git a/mail/inc/class.mail_ui.inc.php b/mail/inc/class.mail_ui.inc.php
index 5af6cff28b..ad6b099e65 100644
--- a/mail/inc/class.mail_ui.inc.php
+++ b/mail/inc/class.mail_ui.inc.php
@@ -114,11 +114,6 @@ class mail_ui
 		if (!$run_constructor) return;
 
 		if (mail_bo::$debugTimes) $starttime = microtime (true);
-		if (!isset($GLOBALS['egw_info']['flags']['js_link_registry']))
-		{
-			//error_log(__METHOD__.__LINE__.' js_link_registry not set, force it:'.array2string($GLOBALS['egw_info']['flags']['js_link_registry']));
-			$GLOBALS['egw_info']['flags']['js_link_registry']=true;
-		}
 		// no autohide of the sidebox, as we use it for folderlist now.
 		unset($GLOBALS['egw_info']['user']['preferences']['common']['auto_hide_sidebox']);
 
@@ -2500,7 +2495,7 @@ class mail_ui
 		}
 		//error_log(__METHOD__.__LINE__.'->'.array2string($attachment));
 		$filename = ($attachment['name']?$attachment['name']:($attachment['filename']?$attachment['filename']:$mailbox.'_uid'.$uid.'_part'.$part));
-		html::content_header($filename,$attachment['type'],0,True,($_GET['mode'] == "save"));
+		html::safe_content_header($attachment['attachment'], $filename, $attachment['type'], $size=0, True, $_GET['mode'] == "save");
 		echo $attachment['attachment'];
 
 		$GLOBALS['egw']->common->egw_exit();
@@ -2544,19 +2539,16 @@ class mail_ui
 		}
 
 		$GLOBALS['egw']->session->commit_session();
-		if ($display==false)
+		if (!$display)
 		{
 			$subject = str_replace('$$','__',mail_bo::decode_header($headers['SUBJECT']));
-			html::content_header($subject .".eml",'message/rfc822',0,True,($display==false));
+			html::safe_content_header($message, $subject.".eml", 'message/rfc822', $size=0, true, true);
 			echo $message;
-
-			$GLOBALS['egw']->common->egw_exit();
-			exit;
 		}
 		else
 		{
-			header('Content-type: text/html; charset=iso-8859-1');
-			print '<pre>'. htmlspecialchars($message, ENT_NOQUOTES, 'iso-8859-1') .'</pre>';
+			html::safe_content_header($message, $subject.".eml", 'text/html', $size=0, true, false);
+			print '<pre>'. htmlspecialchars($message, ENT_NOQUOTES, 'utf-8') .'</pre>';
 		}
 	}
 
diff --git a/phpgwapi/inc/class.html.inc.php b/phpgwapi/inc/class.html.inc.php
index e884d95da3..c580d512a0 100644
--- a/phpgwapi/inc/class.html.inc.php
+++ b/phpgwapi/inc/class.html.inc.php
@@ -1487,7 +1487,91 @@ egw_LAB.wait(function() {
 	}
 
 	/**
-	 * Output content headers for file downloads
+	 * Output content headers for user-content, mitigating risk of javascript or html
+	 *
+	 * Mitigate risk of serving javascript or css from our domain,
+	 * which will get around same origin policy and CSP!
+	 *
+	 * Mitigate risk of html downloads by using CSP or force download for IE
+	 *
+	 * @param resource|string &$content content might be changed by this call
+	 * @param string $path filename or path for content-disposition header
+	 * @param string &$mime ='' mimetype or '' (default) to detect it from filename, using mime_magic::filename2mime()
+	 *	on return used, maybe changed, mime-type
+	 * @param int $length =0 content length, default 0 = skip that header
+	 *  on return changed size
+	 * @param boolean $nocache =true send headers to disallow browser/proxies to cache the download
+	 * @param boolean $force_download =true send content-disposition attachment header
+	 * @param boolean $no_content_type =false do not send actual content-type and content-length header, just content-disposition
+	 */
+	public static function safe_content_header(&$content, $path, &$mime='', &$length=0, $nocache=true, $force_download=true, $no_content_type=false)
+	{
+		// mitigate risk of serving javascript or css via webdav from our domain,
+		// which will get around same origin policy and CSP
+		list($type, $subtype) = explode('/', strtolower($mime));
+		if (!$force_download && in_array($type, array('application', 'text')) &&
+			in_array($subtype, array('javascript', 'x-javascript', 'ecmascript', 'jscript', 'vbscript', 'css')))
+		{
+			// unfortunatly only Chrome and IE >= 8 allow to switch content-sniffing off with X-Content-Type-Options: nosniff
+			if (html::$user_agent == 'chrome' || html::$user_agent == 'msie' && html::$ua_version >= 8)
+			{
+				$mime = 'text/plain';
+				header('X-Content-Type-Options: nosniff');	// stop IE & Chrome from content-type sniffing
+			}
+			// for the rest we change mime-type to text/html and let code below handle it safely
+			// this stops Safari and Firefox from using it as src attribute in a script tag
+			// but only for "real" browsers, we dont want to modify data for our WebDAV clients
+			elseif (isset($_SERVER['HTTP_REFERER']))
+			{
+				$mime = 'text/html';
+				if (is_resource($content))
+				{
+					$data = fread($content, $length);
+					fclose($content);
+					$content =& $data;
+					unset($data);
+				}
+				$content = '<pre>'.$content;
+				$length += 5;
+			}
+		}
+		// mitigate risk of html downloads by using CSP or force download for IE
+		if (!$force_download && in_array($mime, array('text/html', 'application/xhtml+xml')))
+		{
+			// use CSP only for current user-agents/versions I was able to positivly test
+			if (html::$user_agent == 'chrome' && html::$ua_version >= 24 ||
+				// mobile FF 24 on Android does NOT honor CSP!
+				html::$user_agent == 'firefox' && !html::$ua_mobile && html::$ua_version >= 24 ||
+				html::$user_agent == 'safari' && !html::$ua_mobile && html::$ua_version >= 536 ||	// OS X
+				html::$user_agent == 'safari' && html::$ua_mobile && html::$ua_version >= 9537)	// iOS 7
+			{
+				$csp = "script-src 'none'";	// forbid to execute any javascript
+				header("Content-Security-Policy: $csp");
+				header("X-Webkit-CSP: $csp");	// Chrome: <= 24, Safari incl. iOS
+				//header("X-Content-Security-Policy: $csp");	// FF <= 22
+				//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-Security-Policy: $csp");
+			}
+			else	// everything else get's a Content-dispostion: attachment, to be on save side
+			{
+				//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-disposition: attachment");
+				$force_download = true;
+			}
+		}
+		if ($no_content_type)
+		{
+			if ($force_download) self::content_disposition_header(egw_vfs::basename($path), $force_download);
+		}
+		else
+		{
+			self::content_header(egw_vfs::basename($path), $mime, $length, $nocache, $force_download);
+		}
+	}
+
+	/**
+	 * Output content-type headers for file downloads
+	 *
+	 * This function should only be used for non-user supplied content!
+	 * For uploaded files, mail attachmentes, etc, you have to use safe_content_header!
 	 *
 	 * @author Miles Lott originally in browser class
 	 * @param string $fn filename
@@ -1532,21 +1616,16 @@ egw_LAB.wait(function() {
 	 */
 	public static function content_disposition_header($fn,$forceDownload=true)
 	{
-			if ($forceDownload===true)
-			{
-				$attachment = ' attachment;';
-			}
-			else
-			{
-				$attachment = ' inline;';
-			}
-			// limit IE hack (no attachment in Content-disposition header) to IE < 9
-			if(self::$user_agent == 'msie' && self::$ua_version < 9)
-			{
-				$attachment = '';
-			}
+		if ($forceDownload===true)
+		{
+			$attachment = ' attachment;';
+		}
+		else
+		{
+			$attachment = ' inline;';
+		}
 
-			header('Content-disposition:'.$attachment.' filename="'.translation::to_ascii($fn).'"; filename*=utf-8\'\''.rawurlencode($fn));
+		header('Content-disposition:'.$attachment.' filename="'.translation::to_ascii($fn).'"; filename*=utf-8\'\''.rawurlencode($fn));
 	}
 
 	/**
diff --git a/phpgwapi/inc/class.vfs_webdav_server.inc.php b/phpgwapi/inc/class.vfs_webdav_server.inc.php
index e657c9f9ba..beed18adec 100644
--- a/phpgwapi/inc/class.vfs_webdav_server.inc.php
+++ b/phpgwapi/inc/class.vfs_webdav_server.inc.php
@@ -647,55 +647,14 @@ class vfs_webdav_server extends HTTP_WebDAV_Server_Filesystem
 		}
 		if (($ok = parent::GET($options)))
 		{
-			// mitigate risk of serving javascript or css via webdav from our domain,
-			// which will get around same origin policy and CSP
-			list($type, $subtype) = explode('/', strtolower($options['mimetype']));
-			if (!$this->force_download && in_array($type, array('application', 'text')) &&
-				in_array($subtype, array('javascript', 'x-javascript', 'ecmascript', 'jscript', 'vbscript', 'css')))
+			// mitigate risks of serving javascript or css from our domain
+			html::safe_content_header($options['stream'], $options['path'], $options['mimetype'], $options['size'], false,
+				$this->force_download, true);	// true = do not send content-type and content-length header, but modify values
+
+			if (!is_stream($options['stream']))
 			{
-				// unfortunatly only Chrome and IE >= 8 allow to switch content-sniffing off with X-Content-Type-Options: nosniff
-				if (html::$user_agent == 'chrome' || html::$user_agent == 'msie' && html::$ua_version >= 8)
-				{
-					$options['mimetype'] = 'text/plain';
-					header('X-Content-Type-Options: nosniff');	// stop IE & Chrome from content-type sniffing
-				}
-				// for the rest we change mime-type to text/html and let code below handle it safely
-				// this stops Safari and Firefox from using it as src attribute in a script tag
-				// but only for "real" browsers, we dont want to modify data for our WebDAV clients
-				elseif (isset($_SERVER['HTTP_REFERER']))
-				{
-					$options['mimetype'] = 'text/html';
-					$options['data'] = '<pre>'.fread($options['stream'], $options['size']);
-					$options['size'] += 5;
-					fclose($options['stream']);
-					unset($options['stream']);
-				}
-			}
-			// mitigate risk of html downloads by using CSP or force download for IE
-			if (!$this->force_download && in_array($options['mimetype'], array('text/html', 'application/xhtml+xml')))
-			{
-				// use CSP only for current user-agents/versions I was able to positivly test
-				if (html::$user_agent == 'chrome' && html::$ua_version >= 24 ||
-					// mobile FF 24 on Android does NOT honor CSP!
-					html::$user_agent == 'firefox' && !html::$ua_mobile && html::$ua_version >= 24 ||
-					html::$user_agent == 'safari' && !html::$ua_mobile && html::$ua_version >= 536 ||	// OS X
-					html::$user_agent == 'safari' && html::$ua_mobile && html::$ua_version >= 9537)	// iOS 7
-				{
-					$csp = "script-src 'none'";	// forbid to execute any javascript
-					header("Content-Security-Policy: $csp");
-					header("X-Webkit-CSP: $csp");	// Chrome: <= 24, Safari incl. iOS
-					//header("X-Content-Security-Policy: $csp");	// FF <= 22
-					//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-Security-Policy: $csp");
-				}
-				else	// everything else get's a Content-dispostion: attachment, to be on save side
-				{
-					//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-disposition: attachment");
-					$this->force_download = true;
-				}
-			}
-			if ($this->force_download)
-			{
-				html::content_disposition_header(egw_vfs::basename($options['path']),true);
+				$options['data'] =& $options['stream'];
+				unset($options['stream']);
 			}
 		}
 		return $ok;