[Dev] Re: [Design] Obvious Scripting Security Notes

[S. Mike Dierken]

----- Original Message -----
From: "Paul Snively" <psnively@earthlink.net>


> > I know it's a challenge, so let's start working on it.
>
> Quite right. Perhaps we should begin by drafting as comprehensive a set
> of use-cases for Chandler as possible, and articulate some functional
> requirements. For example, I wouldn't have expected "HTML e-mail" to be
> a requirement; as far as I can tell, HTML e-mail is used only for spam,
> and that primarily so that web-bugs can be used to track who actually
> reads the e-mail.
I feel the same as you regarding the importance of security at the scripting
layer. But I think HTML is used for more than spam - mainly rich text
messages. I often correspond in a business setting using boldface text,
colors, indenting, bullet points, etc.
It would be nice to know what actual uses of rich text end-users actually
use and need.

It may be possible to support a subset of HTML for just text markup
(probably a profile of XHTML) using a Content-Type header, and then to be
rude to the past, launch an external helper app (like IE) for the old HTML
stuff. If there are security concerns, let them fall back on MS.