3

I've tried sending html/JS code as an email body. Ideally, any naive web client/browser would read it along with the other HTML/JS in the page and execute it.

But I believe yahoomail, gmail and other popular mail clients take care of this possibility.

Experience: I had experimented sending an alert box from within the email body. But I am just able to see the text.

As a developer, I was wondering what elements help the client to identify these HTML/JS code different from the other normal ones in the page. I believe there has to be some security element associated with it. Are there some articles around which explain these effects in detail?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Maverickgugu
  • 767
  • 4
  • 13
  • 26
  • 1
    Related [How to prevent Javascript injection attacks within user-generated HTML](http://stackoverflow.com/questions/942011/how-to-prevent-javascript-injection-attacks-within-user-generated-html) – Alex K. Oct 28 '15 at 16:11
  • Related: http://stackoverflow.com/questions/28301617/sanitize-all-scripts-from-html-string/28320744#28320744 - If you're writing a web mail client then you need to ensure that you remove any elements that could enable scripting. It is also advised to specify a content security policy (CSP) to prevent the browser from executing any that may slip the net (this is how Gmail works). – SilverlightFox Oct 30 '15 at 09:26

1 Answers1

4

This is a security risk to be able to send arbitrary js to another user. It is called cross site scripting. You can read more about it here https://security.stackexchange.com/questions/12568/is-e-mail-a-direct-vector-for-xss. So to answer your question unless the reader of your email enables js execution (which would be bad) your js is gonna just be sent as plain text.

Community
  • 1
  • 1
jo_wil
  • 369
  • 3
  • 11