Outlook HTML is better broken and safe, than rich and dangerous

The campaign at fixoutlook.org is brilliant. Outlook 2010 will have broken HTML support, it says, because it will use Word to render HTML:

Microsoft has confirmed they plan on using the Word rendering engine to display HTML emails in Outlook 2010. This means for the next 5 years your email designs will need tables for layout, have no support for CSS like float and position, no background images and lots more.

The web page hooks into Twitter and displays avatars from – currently – over 20,000 supporters.

Here’s a few things the campaigners do not mention. First, the Word rendering was introduced in Outlook 2007. It is not a new issue; and in fact caused some commotion last time round.

Second, using Word to render HTML is safer. Here is the bit of Microsoft’s response that matters to me:

For e-mail viewing, Word also provides security benefits that are not available in a browser: Word cannot run web script or other active content that may threaten the security and safety of our customers.

I recall endless security problems with embedded Internet Explorer in earlier versions of Outlook. I used to set Outlook to display as plain text; and even then there were scenarios in which IE could be exploited.

Third, I have no enthusiasm for emails laden with “rich” HTML, JavaScript, Flash and the like. These kinds of emails are invariably marketing and usually not worth reading. What is the “Email Standards Project”? It’s nothing to do with the W3C. The major sponsor appears to be Freshview, whose main product is Campaign Monitor:

Built just for designers, Campaign Monitor is 100% rebrandable email marketing software. Send campaigns for yourself, your clients or let them send their own at prices you set.

I am not averse to simple formatting in emails, for which Word is more than adequate. I agree that Word is not good as an HTML editor or renderer; but in this context it matters little – though I was even happier with the simple HTML editor Outlook used to have for those who disabled Word integration.

Therefore I am opposed to this campaign and suspect that many of the signatories have clicked with little thought or investigation.

That said, there is plenty wrong with Outlook. Dire performance issues in Outlook 2007; the most impenetrable user interface in general use; broken RSS support that fails to integrate sensibly with either Exchange or Internet Explorer; an archiving system that by default leaves users that have more than one PC with archives all over the place and in hard-to-find locations; and plenty more.

It would be great if Microsoft would fix Outlook; but not, please, by returning to embedded IE.

Technorati Tags: ,,,,

8 thoughts on “Outlook HTML is better broken and safe, than rich and dangerous”

  1. First, the word rendering engine is broken in any case. Take standard HTML that Microsoft claims they welcome and it works in most major email clients except word (and Gmail).

    Second, nobody is asking to make Outlook unsafe. If Internet Explorer isn’t safe to use as you imply, then Outlook shouldn’t use use it. Firefox/Gecko has an embeddable engine, so does WebKit/Safari that are widely used in email clients and are proven to be safe for years long before and after IE & Outlook were so widely exploited. BTW: As I recall Word had some well known security exploits to, so the implication that using word is safer doesn’t fly.

    Third, standard HTML emails supported by other email clients do not allow “JavaScript, Flash and the like”. Nobody is suggesting that it be added to Outlook.

    For me, we write software for business (not “email marketing” either) and our customers often want to be able to send emails with some basic text formatting and maybe some images inside the content to a large group of people who use various email clients. A reasonable request and one that for non-programmers would seem simple enough. However, due to incompatibility of Outlook – and Gmail- it is incredibly difficult to accomplish with reasonable HTML. By embracing Word as a renderer in Office (another thing that surely contributes to Outlooks notoriously poor performance) Microsoft is only exacerbating the problem.

  2. @Scott

    Thanks for the comment.

    Are you aware of any security exploits for Word in Outlook (exploiting the viewer, not attachments)? Second, what do you think are the chances of Microsoft embedding Gecko or WebKit in Outlook?

    Tim

  3. A silly argument and you know it. There’s no need to hand off an e-mail to Internet Explorer untouched; pre-parse it and strip ActiveX and JavaScript. Outlook 2007 broke people’s archives of existing mail and broke compatibility with other e-mail clients. It was a regression for users in every way from 2003.

    Secunia Advisory SA30285 can be exploited through the Outlook Word renderer. There are probably others; that’s all I came up with in 90 seconds of looking.

  4. Thanks for the voice of sanity, Tim… greatly appreciated.

    I watched with horror ten years ago as marketers drove what was clearly unsafe. File formats routinely self-destruct when they attempt to duplicate other formats. RSS is another example… originally for short notifications, then there was pressure to make it a duplicate publishing format.

    But it’s hard to push back against those who wish certain features they’ve seen in other formats. It colors my judgment of the WhatWG’s “HTML5” proposals today.

    jd/adobe

  5. Clarification: what I mean by broken archives is that existing e-mail messages which rendered properly in 2003, now render improperly in 2007 and will continue to render improperly in 2010.

    Aside: I’m curious how Outlook Web Access handles the security implications of HTML e-mail. I know it blocks external content by default. Who knows, there might even be a time-tested pre-parser there that they could use in Outlook.

  6. @Dan yes I thought that was what you meant; I don’t have any messages, that I’m aware of and value, where that is a problem.

    Tim

  7. Sheesh… I just want to be able to use blockquotes. I don’t do fancy formatting in my emails. I hate embedded images. I think funky colors and proprietary “comic” fonts should be banned. HOWEVER, I use the “quote and reply in-line” function in almost every email I reply to. Outlook can’t even grok that simple, standard, safe, not-scripty tag that’s been in HTML for at least a decade or two. All my Windows co-workers complain, “I can’t tell the difference between my original email and your reply.” Well, DUH. That’s because Outlook runs the paragraphs all together (unless you’re luck and the clients default to two different fonts, so you can sort of maybe see where the two paragraphs break…

Comments are closed.