HTML by default in KMail

[Scott Kitterman]

On Friday, August 06, 2010 06:42:54 am Myriam Schweingruber wrote:
> On Fri, Aug 6, 2010 at 12:28, Jonathan Riddell <jriddell at ubuntu.com> wrote:
> > At Akademy I queried the current and past KMail maintainers about HTML
> > by default in e-mails.  They seemed to agree that it was a bit old
> > fashioned to be keeping it off and agreed it would be fine to turn it
> > on by default (in Kubuntu and upstream).  It seems unfriendly to me to
> > show a message with most e-mails that the programme is hiding
> > something from the user.
> > 
> > KMail has large warnings in it's config box about security problems
> > that might magically appear.  I can imagine it would help with
> > phishing.  I could also imagine javascript security problems, although
> > I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
> > 
> > As someone who uses a terminal programme for my e-mail I doubt my
> > opinion weights for much but I'd like to hear thoughts people have on
> > the setting.
> 
> I am strongly against turning it on. I don't see a valid reason to
> turn it on btw, as the user always gets an option to allow displaying
> of pictures/graphics for a particular sender. Also since half of the
> mail I get during the day is spam and they tend to often send HTML, I
> am very glad it is turned off by default.
> 
> A Linux system is by default secure, enabling HTML is certainly not.
> 
> Let the users who want to have it turn it on by themselves, but don't
> do so by default. I would really hate it to see kmail users of the
> future send html by default to mailing lists...
> 
> 
> Regards, Myriam.

I agree with this.  Yes, plain text by default may seem a bit old fashioned, 
but HTML by default opens a large number of additional code paths to potential 
exploits (and it appears to be very difficult to write secure HTML parsers).  

The system should default to a safe/secure configuration that users can change 
if they choose.

Scott K