Joe Smith <[EMAIL PROTECTED]> wrote:
> On Wed, Jul 12, 2000 at 01:45:26PM -0400, Tom Neff wrote:
> > I disagree, because MLM authors have a duty to avoid relying on
> > dangerous syntaxes like BestServ's pointy-delimited ID string.
>
> What exactly is dangerous about angle brackets <> in the Subject: line?
This was already explained, but to recap, some mail clients (notably various
versions of AOL) will interpret HTML tags when displaying Subject (and
possibly other) email headers. The potential effects range from visual
annoyance to actual malicious behavior on the user's PC (see the February
CERT advisory).
As Adam Bailey points out, the Internet credo (honored in the breach by
tiros) is liberal acceptance, conservative emission. In this case that
means that what SHOULD happen is
(a) email reading software should aggressively escape or "quote" HTML and
similar markups found in incoming mail by default, rather than attempting to
render them, except where the user has permitted otherwise;
(b) email sending software should avoid the use of SGML/HTML "lookalike"
markups for their own purposes, and quote/escape any SGML/HTML they do need
to send, except in an appropriate MIME envelope.
In this case, AOL made a mistake in their email reader, to be sure, and
they'll probably get around to fixing it, but it takes a long time to
upgrade millions of members and we cannot afford to hold our breaths for the
duration. Anyway as List-Managers we are primarily concerned with the
SENDING side, and there too, BestServ made a double mistake as I mentioned
before: enclosing a parsable token in unquoted angle brackets, and insisting
on seeing them sent back untouched along with the confirmation token itself.
Unfortunately, BestServ may be deadware and hence unchangeable. If I were a
customer I would be moving my lists.
The only other workaround I can think of would be to set up an email proxy
that front-ended BestServ itself and massaged the Subject headers back into
the exact fussy form that the primadonna MLM expects to see.
> HTML, if present, is in the body of the message, not the headers.
I puzzled over this statement for a minute... I *think* what Joe means is
that this is what he thought the rules must say. Actually there is no such
rule, since email formatting predates HTML, and HTML's specification is
email agnostic. In principle HTML can exist in and CDATA or other readable
text field, and in practice when you scour the spools you see it quite a bit
outside the safe confines of a message-body MIME envelope.
