marking this [sge:nse]
David, Brian any thoughts on what we will do for TB 3.0 ?
>> 2. mail.html_compose = false; mail.identity.default.compose_html=false >I'm not sure how this makes things more secure, I don't see how writing HTML >emails opens a person up to attack. there were real exploits with "reply to/forward inline" - editor renders malicious stuff supplied by an attacker. another exploit possibility is "mailto:" URI.
I think this would be sacrificing ux way too much to be worth it. Besides, it needs to be secure for all users, not just the ones that want to view html mails the way they were intended. (Simple HTML also has various quirks...) WONTFIX?
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.