Quoteing jpalme(_at_)dsv(_dot_)su(_dot_)se, on Sun, May 05, 2002 at 08:23:50PM
+0200:
At 11:11 -0500 02-03-19, Keith Moore wrote:
problem is, text/html has turned out to be an abomination -
it introduces security holes via java, javascript, etc., and
lots of folks I know filter it because the vast majority of text/html
mail they receive is spam.
Would that mean that you filter out all messages sent
by Outlook Express? But you are right that spam seems
to use text/html much more than non-spam messages.
Many mailers handle text/html, but only for a limited
part of HTML, not including java and javascript. It
is mainly used
(a) for simple formatting like bold facing, larger
font and monospacing fonts.
(b) Including inline graphics in the e-mail.
I'm no fan of html mail, and I routinely get folks I know to change their
mailer settings to not send it, but text/html isn't a security hole, its the
processing of it as if it was a web page that is (and insecure web page
processing, at that).
My mailer runs html through lynx -local_host, I see it and reply to it as
text, no java or javascript runs, and no links (aka webbugs) are followed.
Outlook's security problems are its fault, not text/htmls.
I also have friends with webmail accounts, and some of those webmailers
default to text/html, WITHOUT the multipart/alternative of text/plain. Gagh.
Sam
--
Sam Roberts <sroberts(_at_)uniserve(_dot_)com> (Vivez sans temps mort!)