[et-al]

One would hope there would be some sanitization of attachments to prevent this.

I also wish there was a regular option in iOS Messages to disable link previews.

[kenferry]

There's a ton of sanitization of attachments. It just isn't foolproof.

On iOS messages attachments are decoded in a separate, heavily restricted and sandboxed process, and the decoded sanitized results are sent back to the UI process. It just isn't perfect.

[halJordan]

Apple (and Google fwiw) do in fact have impressive hardening around their parsers.