Hi Aidas, thanks for putting the question. I cc the list to get more opinions.
On 26/Nov/10 21:20, Aidas Kasparas wrote: > In your patch you remove class attribute from all(?) tags. If this has > to be done, Has it to be done? (That's the question) > Foreign stylesheets are not the only way to attach style. Style > specification could be included as contents of <style> element. Like > this is done in this message (see signature). The current sqwebmail version removes style elements. Unless we change that, it seems useless to have class attributes. > On the other hand, majority of html experts prefer class approach > instead of specifying every aspect in every tag (old MS-Office way). Of course, stylesheets are a great improvement for HTML. However, the kind of HTML found in mail messages is of poor quality. See e.g. http://blogs.sitepoint.com/2007/01/10/microsoft-breaks-html-email-rendering-in-outlook/ > That approach may not yet gained popularity in e-mail software. But > ruling it out will not help to popularize it. And this doesn't sound > right to me. So, if there are no better reason to remove class > attributes, please, don't. The only security concern I can think of is the ability to place content on different positions of the screen. For example, one can have a signed part followed by an apparently innocuous html entity that alters the appearance of the signed text. While I'm not sure that would be a good reason to remove "class", I think similar attacks might be played using bad HTML and targeting specific browsers weaknesses. Rather than nuking certain tags and attributes, perhaps we should only allow a predefined, restricted set of allowed tags, much like wiki processors... -- ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
