GitHub Breaks Again
-
@tarunik said:
Say that when your replacement tool has ze bad guys taking advantage of its HTML support to create security issues...
Are you advocating for plaintext email?
-
... and you're also a paranoid kook worried about a theoretical security hole that hasn't existed in reality in years.
-
-
... and you're also a paranoid kook worried about a theoretical security hole that hasn't existed in reality in years.
You're saying I should rely on everything in the Internet to:
- treat HTML/"rich text" email as legitimate -- there are places out there that automatically throw it in the spam bucket, and
- display "rich text" mails as fully formatted -- despite the fact that it is categorically hard to get right, and has been a source of multiple MUA/mail renderer security holes in the past (and probably will be in the future as the HTML standard evolves faster than its security implications can be considered)
Sending plain ol' UTF-8 text works everywhere you'll ever care about. Besides, HTML really is the wrong tool for email formatting -- why would you ever want something that supports scripting atop being Turing complete in and of itself to be rendered when it's coming from sources you have no control over?
Why would a mailing list be preferable to a forum?
Mail management and spam control is much better understood than forum spam control -- ML's also have a much smaller attack surface than their forum counterparts as their admin interface is segregated from their user interface, which isn't the case for forums.
-
treat HTML/"rich text" email as legitimate
They are legitimate.
there are places out there that automatically throw it in the spam bucket, and
So there's lots of broken shit out there. The question is, why are morons like you using broken shit?
Sending plain ol' UTF-8 text works everywhere you'll ever care about.
I care about indenting text.
Besides, HTML really is the wrong tool for email formatting
Praytell, what should I be using?
why would you ever want something that supports scripting atop being Turing complete in and of itself to be rendered when it's coming from sources you have no control over?
What the fuck are you talking about? HTML isn't Turing-complete.
EDIT: actually maybe with some of the CSS3 animation rules the HTML/CSS combination could be. But HTML on its own is not.
-
actually maybe with some of the CSS3 animation rules the HTML/CSS combination
could beis
-
A 404 error. Oh, well, I'm convinced.
-
Huh. Well, at least the 404 page has a cool mouse-tracking thing on it, I guess.
Anyway, it seems someone else made a jsFiddle of the same thing: http://jsfiddle.net/Camilo/eQyBa/
-
EDIT: actually maybe with some of the CSS3 animation rules the HTML/CSS combination could be. But HTML on its own is not.
I usually treat CSS as part and parcel with HTML -- the HTML formatting tags could easily get yoinked from the next version of the spec (they were deprecated in HTML4!), leaving CSS as the only way to actually apply formatting to things.
-
I usually treat CSS as part and parcel with HTML
I don't give a shit what you "usually do", what you said is that HTML is Turing-complete and that is definitely wrong.
-
And the intent of the standards authors is that HTML is to be used with CSS, not standalone.
-
Just admit you were wrong, sheesh.
-
Did nobody else see the title and expect this to be about the Chinese DDoS?
-
@tarunik said:
Sending plain ol' UTF-8 text works everywhere you'll ever care about.
I care about indenting text.
What's wrong with tab? (Or, if you must, a few spaces?)
-
Probably working on the command-line
I know you jokers think you're joking, but there actually is at least one command-line client; I used it in college. It was called mh. Every function was a separate program.
-
elm
(_el_ectronic _m_ail?) andpine
(_p_ine _i_s _n_ot _e_lm) were also command line mail interfaces.Of course, when I was a student there was always
telnet smtp.<wherever> 25
as well which had the advantage of being able to fake the sender...
-
elm (electronic mail?) and pine (pine is not elm) were also command line mail interfaces.
Well, I'd actually call 'em ChUI, myself. MH was different in that you'd want to read your email, and you'd type something like
list
at the prompt and it would show you a numbered list of the first 25 messages, and you wanted to read the newest one, you'd typeread 1
, and it would display that. It operated on email like sed, awk, etc., not as if it were a monolithic application like elm (which I also remember using.)
-
-
What's wrong with tab? (Or, if you must, a few spaces?)
Oh yeah, that works real well in conjunction with wrapping text for different output widths [NOT!]
-
display "rich text" mails as fully formatted -- despite the fact that it is categorically hard to get right, and has been a source of multiple MUA/mail renderer security holes in the past (and probably will be in the future as the HTML standard evolves faster than its security implications can be considered)
The easiest ways of dealing with this are to make a fairly short list of elements be simply thrown out, and to completely disable processing of both CSS and scripts (with a focus on JS, of course, but it's not the only example). You probably ought to also disable fetching and rendering external resources by default too.
This does upset a number of people who wanted their email rendered โjust soโ but they were probably in marketing anyway.
-
The easiest ways of dealing with this are to make a fairly short list of elements be simply thrown out, and to completely disable processing of both CSS and scripts
The easiest way of dealing with this is to not use HTML as a markup language for e-mail, but use a DSL dedicated to simple text markup instead, like Markdown or BBCode.
Ofcourse, that would require every e-mail client ever to support it as well. In the case of something like Markdown, which was meant to still be readable in its plain text form, that might actually not be a problem at all; non-supporting clients would just see the plain text.
-
The easiest way of dealing with this is to not use HTML as a markup language for e-mail, but use a DSL dedicated to simple text markup instead, like Markdown or BBCode.
text/enriched
is a thing, but nobody much supports it.Markdown
Do. Not. Go. There. Just don't.
-
-
I've read the explanations of why Markdown is preferable to Textile, including a little commentary from Atwood. They convinced me that Textile is generally better but that Markdown is winning the popularity contest (possibly primarily due to Github).
-
Hilarious.
EDIT: for the completely fucking stupid, the error log contains both my real name and my place of employment.
2015/04/01 09:39:23.343 User [username here], company [companyname here], {relevant detail}
Not
...
-