Simon Josefsson <simon+ietf-822(_at_)josefsson(_dot_)org> writes:
This looks rather sloppy to me. It seems to say "Our HTML parser is
insecure, but if you as a user is ready to take on the blame if any
problems appear, just click here". Users in general can't make security
decisions, and they should not be able to sign the security of their
system away by simply "clicking here".
I dunno, I think it falls into the category of not lying to the user. :)
How many people really think that their HTML parser is completely secure?
Have you audited the code? *wry grin*
If the code is too long for me to read and assure myself that it has no
security vulnerabilities, it probably has them, and therefore caution in
exposing it to any untrusted data is worthwhile. I think that the warning
could be clearer about that, perhaps, but I'd still say something along
the lines of:
This message is in HTML. Formatting HTML for viewing can be slow
and may let the HTML code do things that you do not expect, so the
raw HTML code of this message is displayed below. If you trust
the sender of this HTML message and want to see the formatted view
of this message, click on this box to render it.
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>