[kubuntu-devel] Re: HTML by default in KMail

Scott Kitterman ubuntu at kitterman.com
Fri Aug 6 17:59:53 BST 2010

On Friday, August 06, 2010 10:06:34 am Jonathan Riddell wrote:
> On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
> > I agree with this.  Yes, plain text by default may seem a bit old
> > fashioned, but HTML by default opens a large number of additional code
> > paths to potential exploits (and it appears to be very difficult to
> > write secure HTML parsers).
> Nothing that isn't already open through a web browser.
> What are the potential security problems with HTML rendering?  I can
> imagine some HTML being able to crash the renderer.  I can't imagine
> it being able to do anything worse.  (Javascript, java, <object>s etc
> being turned off)

I don't know.  Just plain HTML is not extraordinarily risky.  Upon reflection I 
think the more important concern with HTML is probably URL obfuscation and 
users going to sites that are not the ones they expect.  Once the URL is 
clicked, then the browser (with Javascript, etc) comes into play.

I'd rather focus on making the click through better than changing the default.  
It might just be I'm too much of a traditionalist.

Scott K

More information about the kubuntu-devel mailing list