On 11/6/2013 8:17 AM, Christian Boltz wrote:
Am Dienstag, 5. November 2013 schrieb Linda Walsh:
You message had "*rendering*" in bold
text -- did you write in HTML?
No -- I assert that HTML is markup on text -- it isn't scripting --
HTML is more than markup - and it can contain scripting.
Not HTML. When you include scripting, you are switching to a different
The problem isn't the markup part
(bold/italic/underline etc.), but
embedded in HTML.
My mail reader, ***by default*** doesn't display inline images unless
I specifically ask it to or put the sender in my address book. It's
part of its core functionality (an 3yr, 7mo old, Version of Tbird).
I don't think there is a way for me to enable script execution in email.
It doesn't support cookies.
I'm fine with rendering text in mails *bold* or
If you have put the email in your address book, it can display images.
If you haven't, images are blocked by default.
**EVEN** if send you HTML, you can choose, on your end to display in
"original HTML"(still limited), "simple HTML" that preserves markup,
plaintext (where it extracts the text and displays that).
I strongly disagree - XSS is basically a bug in the renderer (because
it doesn't remove or escape <script> or <div onmouseover=...> tags),
and you can read about XSS attacks quite often.----
XSS isn't HTML. It's XSS that requires scripting.
HTML is marginally more complex to interpret than text,
but I would still ask for a proof of concept -- I don't recall it
ever being seriously considered a threat vector.
A simple example: a HTML mail could hide/optically replace the message
header part (showing Subject/From/To/Date) in KMail with a positioned
<div> and display whatever it wants there. With the same method, it
could probably also simulate the green "This mail has a valid GPG
signature from" box, which could then trick you to click on links
(because you trust the (displayed) sender/signature), and the link
targets could do phishing etc.----
You can't place text outside of the HTML display window using HTML-only.
None of those are your basic markup HTML.
Have you read slashdot.net? The HTML they have in "light-mode (for
That's one of the reasons why I don't like
HTML mails - there's an
additional risk level without any benefit.
You are talking about a bad reader. It sounds like Kmail (which
I always found to be buggy & slow), also has low security features.
From wikipedia, threat vectors in HTML:
1) HTML allows for a link to have a different target than the link's
text. This can be used in phishing attacks. Tbird default: you read the
actual link in the status bar -- can't be spoofed w/o scripting
2) If an email contains web bugs (inline content from an external
server, such as a picture), the server can alert a third party that the
email has been opened. This is a potential privacy risk. Response: some
email clients do not load external images until requested to by the user
(you get a good email client that was designed with privacy & security
in mind (Tbird being 1 example).
That's it. It CAN be used as a spam vector, but that's not a security
risk and most people & lists have filters that do a good job of
filtering that out.
They don't contain scripts -- kmail is an aberration.
As I mentioned in early responses if you don't like HTML, you can
convert it to plaintext. Check out lynx sometime -- all plaintext, all
the time (it's a text browser).
This works for the USDoD who, during periods of increased network
threats, convert all incoming HTML email to text email.
The other reason is more practical - I want mails
displayed in the
font _I_ like - not in a random font and (mis)design that the sender
might like, but is harder to read.
You can choose that, more easily and flexibly in html than in
plain text, since you can:
1) disable using any fonts or COLORS other than what you specify. or
2) insert your own style sheet at the top to display it anyway you want
and put in css rules to prohibit changing font size/color...etc.
Regards, Christian Boltz
And, BTW, FWIW, I usually send BOTH a copy of the HTML email AND
a plain-text copy for those who don't want to convert, but that's just
me, and not a builtin feature. Translators like the DOD use are trivial
to write -- especially if you are willing to use some script to do the
Something like perl can walk an HTML syntax tree, and only emit HTML
items you want -- like content or simple markup -- but some readers have
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org