Okay I know exactly what you're talking about regarding malformed HTTP requests because I write web server plugin software which could be subject to such attacks (were I not such a talented programer, that is. ). But your terminology is a little misleading, because it wasn't an "HTML request" that broke servers using Nimda, it was an HTTP request. HTML is just the content of an HTTP *response* from the server. Those vulnerabilities have *nothing* to do with HTML, they have to do with a web server (IIS in this case) which was poorly written.

I realize that "poorly written" software is everywhere (buffer overflow vulnerabilities especially) but to say that HTML is somehow a server-side security risk is just not correct. And to clients, the only real risk is in non-HTML goodies like JavaScript and ActiveX, which can be very easily filtered.

Hence I'm not sure why HTML isn't allowed around here, although it does prevent l4m3rz from posting in 72 point font.