Curiously #108 says HTML is escaped for plaintext and subject while I found the opposite problem: HTML is not escaped for html part which is a real danger and is not mentioned in the doc?
My solution would be to autoescape everything at first but afterwards unescape those plaintext parts.
I've now deployed such a fix but would like it to go upstream instead of forking, would you accept such a PR?
Curiously #108 says HTML is escaped for plaintext and subject while I found the opposite problem: HTML is not escaped for html part which is a real danger and is not mentioned in the doc?
My solution would be to autoescape everything at first but afterwards unescape those plaintext parts.
I've now deployed such a fix but would like it to go upstream instead of forking, would you accept such a PR?