[Javascript] no JS on a JS mailing list? (was: Code optimization)

Scott Reynen scott at randomchaos.com
Tue Aug 8 11:47:34 CDT 2006 

On Aug 8, 2006, at 10:58 AM, Paul Novitski wrote:

> I suspect that the occasions my email client (Eudora 7) renders  
> posted HTML markup text as "active" HTML instead of plain text are  
> when folks include the HTML tag itself as part of their posting,  
> such as when they paste the entire HTML page into their email.   
> Because email clients that are capable of rendering HTML markup use  
> the HTML tag to begin a message, this causes obvious confusion.

Only broken email clients treat the HTML tag as the beginning of the  
HTML portion of a message.  Non-broken email clients follow the  
"Content-type" header, and treat emails marked with "Content-Type:  
text/plain" as plain text regardless of which HTML tags show up in  
the content.  I'm surprised to hear that Eudora is broken like this,  
but if it's really rendering content in an email marked with "Content- 
Type: text/plain," I see no other conclusion.

> (Do set me straight here.  I'm hardly an expert in email technology  
> and my parochial experience with Eudora might be limiting my view.   
> Do other email clients consistently treat HTML markup insertions as  
> plain text?  Does their doing so depend on whether the author has  
> set it to send all email as HTML?  Did your own client treat Terry  
> Riegel's posting of Mon, 7 Aug 2006 18:05:01 -0400 entirely as  
> plain text?)

Yes, mine did.  That's what "Content-Type: text/plain" means.  Eudora  
apparently thinks it means something different.  That's Eudora's  
problem, not Terry's.

> In my experience, most times this happens is when someone attempts  
> to insert an example in their posting that includes what I'm  
> calling active javascript -- not just the plain text code but the  
> code embedded in an HTML context in the hopes that it will execute  
> in the email client.

Terry didn't suggest an HTML context.  Your email client assumed HTML  
context despite clear suggestion to the contrary.  JavaScript  
security isn't an issue with plain text email.  It sounds like Eudora  
is creating a security issue by ignoring the "Content-type" header.   
I guess you should be thankful that Eudora is trying to protect you  
from its own flaws, but I'd think fixing those flaws would be a  
preferable solution to asking everyone else to work around them.

Peace,
Scott

More information about the Javascript mailing list