James Platt wrote on 01/19/2018 12:27 PM:
in a properly configured (in my opinion) email client, a lot of HTML features will be disabled for security reasons, including such things as cookies, javascript and remote images...


Agreed to all of that, and you also want to disable "non-remote" images, because exploits to the libraries that implement those are endless, and it's super-targetable remotely (you just type in the target's direct email address, or send to an unsanitized list they're on, from anywhere in the world, and chuckle to yourself). HTML and DOM processing implementations are not known to be as buggy as the 2D pixel map libraries.

(In the email client/MUA I've been wanting to write for years, and to which I alluded recently, when listing off some Racket project ideas... I'd actually also do an HTML-to-plain conversion from scratch, for security and other reasons.  A conversion is necessary because you can't just show the plain text of the MIME alternative content type, because it's often different/empty/missing, and the HTML represents the de facto canonical contents of the email.  In the meantime, Sylpheed and Claws have some security merits, but I'd try somewhat different approaches.)

--
You received this message because you are subscribed to the Google Groups "Racket 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to