Hello, Am Dienstag, 5. November 2013 schrieb Linda Walsh:
You message had "*rendering*" in bold text -- did you write in HTML?
No -- I assert that HTML is markup on text -- it isn't scripting --
HTML is more than markup - and it can contain scripting. The problem isn't the markup part (bold/italic/underline etc.), but all the other things (like javascript and tracking pixels) that can be embedded in HTML. I'm fine with rendering text in mails *bold* or _underlined_, but I don't want colored text, javascript or tracking pixels in my mails.
Note, that fact that your reader is displaying binary data as "text" is already an interpretive layer. You can claim, that interpreting a binary stream as text is vastly different than interpreting it as emphasized, italicized, or paragraph-formatted or proportional text, but it's a matter of degree. If you aren't seeing, *only* electrical "on/off" states, you are seeing some level of interpretation
01110111 01110010 01101111 01101110 01100111 *SCNR*
I don't recall any instance where a site has been hacked due to a bug in an HTML renderer.
I strongly disagree - XSS is basically a bug in the renderer (because it doesn't remove or escape <script> or <div onmouseover=...> tags), and you can read about XSS attacks quite often.
Technically HTML is marginally more complex to interpret than text, but I would still ask for a proof of concept -- I don't recall it ever being seriously considered a threat vector.
A simple example: a HTML mail could hide/optically replace the message header part (showing Subject/From/To/Date) in KMail with a positioned <div> and display whatever it wants there. With the same method, it could probably also simulate the green "This mail has a valid GPG signature from" box, which could then trick you to click on links (because you trust the (displayed) sender/signature), and the link targets could do phishing etc. That's one of the reasons why I don't like HTML mails - there's an additional risk level without any benefit. The other reason is more practical - I want mails displayed in the font _I_ like - not in a random font and (mis)design that the sender might like, but is harder to read. Regards, Christian Boltz --
Wow consensus in less than 24 hours....imagine if it always worked that way....:-) Something smells fishy here ;-) Do you have the solution(tm) for the "Kanzlerfrage"? :) [>> Peter Flodin, > Andreas Jäger und Christoph Thiel in opensuse]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org