On 11/6/2013 8:17 AM, Christian Boltz wrote:
Hello,
Am Dienstag, 5. November 2013 schrieb Linda Walsh:
You message had "*rendering*" in bold text -- did you write in HTML?
No -- I assert that HTML is markup on text -- it isn't scripting --
HTML is more than markup - and it can contain scripting.
Not HTML. When you include scripting, you are switching to a different language. Javascript != HTML.
The problem isn't the markup part (bold/italic/underline etc.), but all the other things (like javascript and tracking pixels) that can be embedded in HTML.
My mail reader, ***by default*** doesn't display inline images unless I specifically ask it to or put the sender in my address book. It's part of its core functionality (an 3yr, 7mo old, Version of Tbird). I don't think there is a way for me to enable script execution in email. It doesn't support cookies.
I'm fine with rendering text in mails *bold* or _underlined_, but I don't want colored text, javascript or tracking pixels in my mails.
If you have put the email in your address book, it can display images. If you haven't, images are blocked by default. **EVEN** if send you HTML, you can choose, on your end to display in "original HTML"(still limited), "simple HTML" that preserves markup, or plaintext (where it extracts the text and displays that).
I strongly disagree - XSS is basically a bug in the renderer (because it doesn't remove or escape <script> or <div onmouseover=...> tags), and you can read about XSS attacks quite often.----
XSS isn't HTML. It's XSS that requires scripting.
Technically HTML is marginally more complex to interpret than text, but I would still ask for a proof of concept -- I don't recall it ever being seriously considered a threat vector.
A simple example: a HTML mail could hide/optically replace the message header part (showing Subject/From/To/Date) in KMail with a positioned <div> and display whatever it wants there. With the same method, it could probably also simulate the green "This mail has a valid GPG signature from" box, which could then trick you to click on links (because you trust the (displayed) sender/signature), and the link targets could do phishing etc.----
You can't place text outside of the HTML display window using HTML-only. At the very least, you'd need javascript and access to the DOM model. None of those are your basic markup HTML. Have you read slashdot.net? The HTML they have in "light-mode (for display), is
That's one of the reasons why I don't like HTML mails - there's an additional risk level without any benefit.
You are talking about a bad reader. It sounds like Kmail (which I always found to be buggy & slow), also has low security features. From wikipedia, threat vectors in HTML: 1) HTML allows for a link to have a different target than the link's text. This can be used in phishing attacks. Tbird default: you read the actual link in the status bar -- can't be spoofed w/o scripting (default=disabled w/prejudice) 2) If an email contains web bugs (inline content from an external server, such as a picture), the server can alert a third party that the email has been opened. This is a potential privacy risk. Response: some email clients do not load external images until requested to by the user (you get a good email client that was designed with privacy & security in mind (Tbird being 1 example). That's it. It CAN be used as a spam vector, but that's not a security risk and most people & lists have filters that do a good job of filtering that out. They don't contain scripts -- kmail is an aberration. As I mentioned in early responses if you don't like HTML, you can convert it to plaintext. Check out lynx sometime -- all plaintext, all the time (it's a text browser). This works for the USDoD who, during periods of increased network threats, convert all incoming HTML email to text email.
The other reason is more practical - I want mails displayed in the font _I_ like - not in a random font and (mis)design that the sender might like, but is harder to read.
You can choose that, more easily and flexibly in html than in plain text, since you can: 1) disable using any fonts or COLORS other than what you specify. or 2) insert your own style sheet at the top to display it anyway you want and put in css rules to prohibit changing font size/color...etc.
Regards, Christian Boltz
And, BTW, FWIW, I usually send BOTH a copy of the HTML email AND a plain-text copy for those who don't want to convert, but that's just me, and not a builtin feature. Translators like the DOD use are trivial to write -- especially if you are willing to use some script to do the filtering. Something like perl can walk an HTML syntax tree, and only emit HTML items you want -- like content or simple markup -- but some readers have that built-in Cheers, Linda -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org