EDIT: Hmm, I probably should have mentioned this before, but if you visit that URL, the XSS that happens will lead to your IP address being displayed on a public page.
I'm conflicted; on one hand, obviously protecting against the HTML sent in an e-mail is a good idea. I seriously considered having all e-mail bodies run through https://code.google.com/p/owasp-java-html-sanitizer/ to strip out bad elements. On the other hand, MailDrop obviously isn't meant to be secure-- if you're worried about a truly private, secure inbox, MailDrop is not that application.
Got a good compromise between the two? Send a pull request and I'll get it in.
EDIT: Hmm, I probably should have mentioned this before, but if you visit that URL, the XSS that happens will lead to your IP address being displayed on a public page.