They have done #1 and the library is WebKit and so #2 isn't happening. Not the least of which because of the lack of expertise to patch that code base but because it's dynamically linked and in most deployment scenarios they get the webkit provided by the distro. If Evolution even tried to vendor WebKit downstream packagers would patch it out so that it links to the system lib and gets security patches along with the rest of the system.
They really haven't done number 1. A bug report was submitted, and then it has stalled for 15 months.
As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.
That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.
And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.
These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.
