Lawrence Greenfield <leg+(_at_)andrew(_dot_)cmu(_dot_)edu> writes:
Who cares? Your HTML renderer looks at the "cruft" and does the right
thing and you never see it.
It makes the HTML renderer more complex. More complex -> more bugs,
including security vulnerabilities, and the entire code path that parses
an e-mail message is security-sensitive and dealing with untrusted data.
Which sucks, because that's a *lot* of code to expose to a security layer.
It's bad enough in a web browser. At least with a web browser, you have
some control over what sites you go to. What with the growth of mail
spam, it's rarer and rarer that you can establish that sort of control
over what mail messages you open. (I'm surprised that more mail clients
don't default to showing the raw HTML with a button saying "render this";
users wouldn't press it for spam and it would make discarding spam quicker
as well as safer.)
Right now, what with the HTML that some things are generating, one needs a
full-blown HTML 4.0 rendering engine complete with CSS level two support
and possibly even DOM support to actually "do the right thing" with all
that "cruft." That seems a little excessive for just adding bold text to
a mail message, which is what the original author probably actually did.
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>