From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN:  
X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1
Received: from localhost (dcvr.yhbt.net [127.0.0.1])
	by dcvr.yhbt.net (Postfix) with ESMTP id 04B9D1F453;
	Wed, 26 Sep 2018 22:42:00 +0000 (UTC)
Date: Wed, 26 Sep 2018 22:42:00 +0000
From: Eric Wong <e@80x24.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: meta@public-inbox.org
Subject: Re: Stripping multipart/alternative HTML parts instead of rejecting
Message-ID: <20180926224200.nwmeqjc2jn4ij5dw@dcvr>
References: <20180925171657.GA2950@chatter>
 <20180926194705.oofeug5fxtiiqdwe@dcvr>
 <20180926205700.GA11506@chatter>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180926205700.GA11506@chatter>
List-Id: <meta.public-inbox.org>

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> How do messages with a HTML part get displayed in the web view? Does it get
> offered as a download, or ignored completely?

Offered as a text/plain so viewable and downloadable, but not rendered
by the browser as HTML (because of HTML/JS/CSS injection attacks)

Recent example here:
https://public-inbox.org/sox-users/5baaded3.1c69fb81.1ab9.5c49@mx.google.com/