[kubuntu-devel] Re: HTML by default in KMail
Scott Kitterman
ubuntu at kitterman.com
Fri Aug 6 17:59:53 BST 2010
On Friday, August 06, 2010 10:06:34 am Jonathan Riddell wrote:
> On Fri, Aug 06, 2010 at 09:47:24AM -0400, Scott Kitterman wrote:
> > I agree with this. Yes, plain text by default may seem a bit old
> > fashioned, but HTML by default opens a large number of additional code
> > paths to potential exploits (and it appears to be very difficult to
> > write secure HTML parsers).
>
> Nothing that isn't already open through a web browser.
>
> What are the potential security problems with HTML rendering? I can
> imagine some HTML being able to crash the renderer. I can't imagine
> it being able to do anything worse. (Javascript, java, <object>s etc
> being turned off)
I don't know. Just plain HTML is not extraordinarily risky. Upon reflection I
think the more important concern with HTML is probably URL obfuscation and
users going to sites that are not the ones they expect. Once the URL is
clicked, then the browser (with Javascript, etc) comes into play.
I'd rather focus on making the click through better than changing the default.
It might just be I'm too much of a traditionalist.
Scott K
More information about the kubuntu-devel
mailing list