See sections 3.4.1 and 3.2.4 of RFC 2822. From my reading, you can *technically* include whitespace if it's quoted, but for our purposes it's almost certainly going to be a mistake we want to notify the user about.
Email addresses are super funky - there are a lot of things that are allowed that you wouldn't expect. We're not going to try to conform perfectly to the RFCs, but a set of tests helps us not break some commonly-used odd cases and prevent regressions when we make fixes.
When I changed markdown.less to be imported directly instead of being loaded separately, the behavior of less's ':extend' caused the usertext input to inherit some extra styles, including the non-editable styles. It is fixed by applying the 'md' and 'md-container' classed directly to the elements rather than using less's extend feature.
@umbrae pointed out that it's nice to know who a message is from, even if you have to go to the message on the web to reply. It's possible at some point in time we will need something else from the sender than just their username. However, sending the id and causing a lookup seems unnecessary for a vague possibility - and we should be able to make a transition in the future pretty easily if necessary.
Even if it's opt-in, we want people to be able to easily unsubscribe from notification emails. Using an HMAC instead of a generated token means we don't have to store anything extra, but just perform a calculation on email send and in the unsubscribe responder.
@umbrae and @powerlanguage both noticed that certain characters (angle brackets, quotes) were being html-escaped in the emails. Since the emails are currently only plaintext, this looked weird and required a mental translation back to understand what the prior markdown looked like. This should continue to be safe as long as we're only sending plaintext emails.
Some users visit fairly infrequently, or visit without being logged-in, and so [don't notice messages they've received]. We need some better data on this, and it's hard to separate these people out from alts (particularly novelty accounts). However, [anecdotal evidence] and conversations shows that there is *some* demand for this feature. There are a lot more things to do to get this ready for public usage. However, we just want to get a quick prototype out so that we can start using it internally and see where it falls apart. : https://www.reddit.com/r/redditdev/comments/2f12s3/email_notifications/ : https://ifttt.com/recipes/94391-reddit-inbox-to-email-inbox
Specifically, link author names were not being scrubbed when their account was deleted. Some subreddit attrs needed to be scrubbed too, but weren't actually leakable due to the subreddit search endpoint being restricted to the 'plain' syntax.