In Gajim, a patch adding XHTML support was recently committed. However, it always attached XHTML to the message when formattings were used. This is not as bad as other clients, who always send XHTML.
However, when formattings were used and GPG was enabled, the <body> was encrypted and an unencrypted XHTML version of it attached.
We should explicitely warn about this, IMO, maybe even in both, XEP-0027 and XEP-0071, as this leads the user into false security and is a severe bug. It is sent in plaintext and the user never notices, unless he looks at the XML console.
-- Jonathan
PGP.sig
Description: This is a digitally signed message part