[barkbyte]

The comment you’re replying to is misleading. SVG supports JavaScript but only if you load the SVG directly in your browser or inline it fully into the DOM. Using it as a normal image tag, by reference or with inlined data:, it’s inert and harmless from a JavaScript perspective.

However, for a long time browsers were susceptible to denial of service attacks from maliciously crafted XML files, which SVG could exploit. (“Million laughs”). This doesn’t work in current versions but it might be a reason that SVGs are rejected.

[arp242]

Rendering HTML emails in the browser is rather tricky business, because HTML/CSS isolation mechanisms are non-existent or come with a lot of caveats. You want to make sure your layout doesn't get screwed because of some bonkers HTML/CSS but you also don't want the intended layout of the email to be completely screwed.

It's been a long while since I worked on this, but I was always very hesitant to make changes here, because we knew that our current thing worked for almost all customers, and you never knew what changes would break what.

We dogfooded our own client, and at some point a change I made broke the automated SIDN (which manages .nl TLD) emails. I forgot what exactly it was, but they did some really weird stuff. You can't just shrug and say "oh well, that's just crazy, fix your emails" because people do need those emails and getting these types of organisations to take action is like moving a mountain.

[cypherpunks01]

Ahh ok thanks for the clarification, that makes sense