HTML by default in KMail

Jussi Schultink jussi01 at
Mon Aug 9 09:42:15 BST 2010

2010/8/9 Aurélien Gâteau <aurelien.gateau at>:
> On 06/08/2010 12:28, Jonathan Riddell wrote:
>> At Akademy I queried the current and past KMail maintainers about HTML
>> by default in e-mails.  They seemed to agree that it was a bit old
>> fashioned to be keeping it off and agreed it would be fine to turn it
>> on by default (in Kubuntu and upstream).  It seems unfriendly to me to
>> show a message with most e-mails that the programme is hiding
>> something from the user.
>> KMail has large warnings in it's config box about security problems
>> that might magically appear.  I can imagine it would help with
>> phishing.  I could also imagine javascript security problems, although
>> I'd hope javascript isn't allowed in Kmail e-mails I could be wrong.
> Turning HTML on for *displaying* email is something I have done every
> time I introduced someone to KMail. If this option is not on then KMail
> is perceived as less powerful than their previous email client.
> Therefore I too believe HTML should be by default for *displaying*
> emails, as long as loading of external references is disabled. With this
> configuration KMail shouldn't end up being more vulnerable than
> Evolution, Thunderbird or any web mail.
> What does showing email in plain text protects you from?
> It does not protect you from the rogue links of a phish email (ie
> something like <a href=""></a>): you can't
> expect someone trying to abuse you with rogue links to provide a
> plain-text version with readable nasty links.
> It does not protect you against spam messages phoning home to confirm
> your email address is valid. You are protected from this as long as the
> "Allow messages lo load external references from the Internet" option is
> unchecked.
> It does not protect you against messages containing nasty Javascript:
> The viewer widget is explicitly created with disabled Javascript, Java
> and plugins options [1].
> It does protect you against rogue HTML which could exploit a security
> hole in your HTML renderer to execute rogue code on your machine. *But*
> it only protects you if you are able to detect the email is rogue from
> the information provided without reading the message content (ie, sender
> and subject).
> This kind of attack requires much more technical skills than phishing
> (which only requires social skills) and is much less likely to work in a
> cross-email client way, so I assume it's not very widespread, if
> existing at all, as one would need to write a KMail-specific spam
> message for it to work (but IANASE, I Am Not A Security Expert :) )
I agree 100% with Aurélien here, and his arguments are what I would
have said, if I was a little more eloquent :)

> Aurélien
> [1]:
> , look for initHtmlWidget, line 1279 at the time of this writing.
> --
> kubuntu-devel mailing list
> kubuntu-devel at
> Modify settings or unsubscribe at:

More information about the kubuntu-devel mailing list