On Thursday 11 July 2019 02:52:56 John Crawley wrote: > On 2019-07-11 15:25, Andrei POPESCU wrote: > > On Jo, 11 iul 19, 12:31:07, John Crawley wrote: > >> ...user agents that could deal with html in some sane way, and > >> without exposing the recipient to attacks. Simply not following any > >> web links would be enough I'd have thought? Or are there some more > >> subtle attack paths? > > > > Yes, look up the EFAIL vulnerability (I posted a link in another > > message). It enabled a potential attacker to trick e-mail clients > > parsing html e-mail to decrypt an (old) encrypted message. > > > > In most cases users only had to open the message. > > Since enforcing no-html, and particularly no-malevolent-html on all > incoming mail is not an option available to us, the only remaining > choices for a "good" MUA would then be: > A) Display html as-is, tags and all > B) Strip out the tags and display what's left, like html2text > > I think B) is the better option.
The TDE version of kmail will show a blank message window if there is no plain text content, but will show a click here to see the html. I rather like it that way, but spammy crap gets fed to sa-learn spam w/o a reply. Works for me. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>
