Holy cow, I wrote a book!
The long answer:
When balloon tips were first developed, there was no ability
to embed links.
Consequently, programs were free to put insecure text in balloon tips,
since there was no risk that they would become "live".
So, for example, a virus scanner might say
"The document 'XYZ' has been scanned and found to be
free of viruses."
Now suppose hotlinks were supported in balloon tips.
Look at how this can be exploited:
I can write a web page that goes
You download the message and since you are a cautious person,
you ask your virus scanner to check it out.
The balloon appears:
"Oh, how convenient," you say to yourself.
"The virus scanner even included a hotlink to the document
so I can read it."
And then you click on it and your hard drive gets reformatted.
"So why don't you add a NIF_PARSELINKS flag, so people
who want to enable hotlinks in their balloon tips can do so,
and still remain compatible with people who wrote to the old API?"
(I've heard of one person trying to pass a TTF_PARSELINKS flag
member and wondering why it wasn't
working. I hope it's obvious to everybody why this had no chance
Because that would just be passing the buck.
Anybody who used this proposed flag would then have to
be extra-careful not to put untrusted links in their balloon
tips. Most people would just say, "Wow! A new flag!
That's awesome!" and start using it without considering
the serious security implications.
Then somebody can trick the program into putting untrusted
text into a balloon tip and thereby exploit the security hole.
"Aw, come on, who would be so stupid as to write code without
considering all the security implications?"
The best way to make sure things are secure is to make it
impossible to be insecure.