Active Desktop says hello

Indeed, when your app just generates its own HTML to render, do security holes in your HTML renderer matter? Your app will not generate any HTML that tickles the security holes. If your app is converting external data to HTML, if that can make your app generate bad HTML, that's your app's problem.

If your app gets HTML from somewhere and just passes it along, then heaven help you.

>However, you are probably right that there should be a single library for HTML rendering -- which obviously is the one the web browser uses too.
I think I need to clarify my point: one size *doesn't* fit all here, a lot of people using the xxxx-large size aren't equipped to wield it safely. E-mail and instant messaging is a prime example of where you'd want to keep the HTML renderer as dumb as possible, since trying to blacklist bad behaviours with a loaded gun the size of WebKit or Gecko is a Sisyphean endeavour. Heck, even Mozilla seems to always have their hands full keeping up with the ad industry's creative new ways of violating human rights, and that's after they've already done all the legwork to make “evergreen browsers” a thing even for the likes of Debian Stable. There's no way to have an “evergreen xulrunner”, which is probably one reason why they killed it. But we still have WebKit to worry about.

I'd feel a lot safer if everyone could distill the existing second-tier HTML libs (QtGUI's, gtkhtml, Dillo, etc.) into one decent library that knows when to say no. Don't pull in half an operating system for a what-if, just provide a button to open something in a real browser if necessary. (And in incognito mode by default please — I don't think there's a legitimate reason to open most links from external apps in a normal profile, especially local files.)