Skip to page content or skip to Accesskey List.
Search evolt.org
evolt.org login: or register

Work

Main Page Content

Why Developers Don't Want HTML Email

Posted on February 20, 2000

in Commentary & Society

by Daniel Cody (djc)

Rated 4.03 (Ratings: 10) (Add your rating)

Log in to add a comment
(6 comments so far)

Want more?

 
Picture of djc

Daniel Cody

Member info | Full bio

User since: December 13, 1998

Last login: September 17, 2007

Articles written: 146

In an opinion article today, Dave Winer contemplates, "Why developers want HTML rendering in the OS" and goes on to explain his experience of sending an email to a group of people. The great thing was, according to Dave, this email included a piece of Javascript that made a call back to a server where it could run a random banner-ad type script, which naturally, displayed a random banner ad right there in your email client!

Dave goes on to give a brief explanation of how this all happened, drops the expected Linux references, and summarizes with thanks to Microsoft for providing the software that is "enabling the revolution."

Revolution? To any security minded person, this is more of a nightmare! How does javascript embedded email constitute a revolution? If anything, allowing javascript to be executed by your email client is a serious compromise of the security of your system. However, I'm not here to talk about the security issues surrounding scriptable email messages, that's been beaten to death already on BugTraq:

On top of the security issues listed above, imagine what kind of javascript enabled spam you could get from people! Now instead of spam email that has a link to the "Make Money Fast" website, your javascript enabled email client parses a document.open function that calls up the "Make Money Fast" website in your browser? Porn pop up windows anyone? You get the idea..

Which developers want HTML email - much less javascript enabled email - in their inbox? The majority of developer mailing lists in fact discourage sending any sort of non-text email, including HTML and javascript encoded email. Why does Dave make such a broad statement claiming that this is what "Developers" want? I am a developer, and Dave sure as hell doesn't speak for me. This article appeared on scripting.com, but I doubt many scripting developers would agree with Dave either. A casual reader, teacher, or executive might stumble across a site about scripting such as scripting.com and think that what Dave is saying is in fact what people that 'script' and 'develop' want.

In summary, I think Dave (as well as companies like Microsoft) should think more about the security and privacy issues that surround a topic like this, and protect us as users first before developing functionality that might put our sensitive information at risk trough the use of an insecure technology such as scriptable email.

Dan lives a quiet life in the bustling city of Milwaukee, WI. Although he founded what would become evolt.org in 1998, he's since moved on to other projects and is now the owner of Progressive Networks, a Zimbra hosting company based in Milwaukee.

His personal site can be found at http://dancody.org/

6 comments on this article. Log in to add your comment | Rate this article: Rate this node 1 star.Rate this node 2 star.Rate this node 3 star.Rate this node 4 star.Rate this node 5 star.

Submitted by djc on February 22, 2000 - 02:26.

I completely agree that as an opinion leader, your words have more weight than that of a person that isn't in that situation. However, its a responsibility that comes with being an opinion leader to make sure you're informed on certain facts that you're commenting on. If one is not informed on a subject, one shouldn't comment on that subject in the first place.

login or register to post comments

Submitted by isaac on February 22, 2000 - 17:54.

Dave's response on scripting.com: "One sure way to get me to point to a site is to whine about me, using an aesthetically pleasing template. It's true, there are security concerns with HTML email. It's also true that I was excited by the power I had gotten." "On the Web, I don't have to think through all the implications behind my opinions, because in an instant, the full depth is explored." Someone owning scripting.com, and with what is surely substantial readership, should understand their responsibility and see the implications of an influential person making unresearched, "oh, I was excited by the power" comments. Reference to a completely justified clarification of security issues (this article) is far from whining, and such a response is immature.

login or register to post comments

Submitted by aardvark on February 22, 2000 - 22:14.

As a real-world example of developers wrangling with HTML email, take a look at the evolt list archives for my responses to a similar thread. To me, the benefits of HTML in email (which I am still trying to discover) do not even come close to outweighing the concerns. Some points:
  • What if your mail reader doesn't support it? My father's CompuServe email printouts (which is how he reads his email) always have to versions on the page - plain text and HTML markup.
  • Some mail forwarders will choke on it if it isn't sent as 7-bit ASCII, which I have seen happen.
  • If the email references images, my Dial-Up Networking tries to dial-up because I read most email off-line.
  • The emails are always at least twice the size of an ASCII equivalent. It has to include the plain text, and the text with markup.
  • In Outlook the damn mail reader takes forever to render the page, which is usually poorly designed color wheel crap.
  • The security issues alone result in my sending most HTML email to the trash without even opening it. If it was important, I'll get a phone call. Besides, why would I want some script kiddie to have direct access to my OS because some "developer" thought it would be keen to enable it?

login or register to post comments

For it and against it

Submitted by skamp on May 22, 2001 - 02:59.

I'm for HTML in e-mails, because:
  • When you have a beautiful template, with CSS stylesheets, well, it's beautifull (it's like buying beautifull paper for your snail mail).
  • I can't think of any security issue, since I'm using a mailer that allows to disable script executions in mails.
  • OK, HTML is heavier, but hey, what's a few more K's ? Not much, even if you have a 56k modem.
  • You can add much more interactivity within your mails.
I hate HTML in mails, because :
  • People usually don't use special templates, they just write black text on white background.
  • I'm using M$ Outlook Express and I'm concerned about security issues and evil pop-ups.
  • I've a 28.8k modem and HTML mail just take half an hour to load.
  • What usefull interactivity do people really add to their mails ? none.
My 2cents.

login or register to post comments

I Like html email

Submitted by thunder7 on October 6, 2003 - 14:52.

You can do many things with html both good and bad.
I prefure what you can do with it in a good forum
I wish I knew more html so I could do more with my mail.

login or register to post comments

Well most major email

Submitted by georgel on November 18, 2009 - 10:16.

Well most major email clients these days block links and graphics from displaying by default, tracking email with text links or graphics isn't that easy or reliable.

login or register to post comments

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.orgEvolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.