[thelist] Putting code into e-mail

Scott Brady evolt at scottbrady.net
Wed Jul 2 20:04:49 CDT 2003

----- Original Message ----- 
From: "Jeff Howden" <jeff at jeffhowden.com>

> but you're equating security precautions for email to web content.
> far from the same thing.  the same kind of scripting that can execute in
> one, cannot in another (unless you explicitly change the settings to

Well, I'm equating them when dealing with webmail in particular, which  . .
. well, IS the same thing.  The e-mail content becomes web content.  So, in
this case, the same kind of scripting that can run in a webpage can also run
in an e-mail. Honestly, I'd think the webmail system would "parse" the
e-mail content to weed out scripting.

> if it's webbugs you're concerned about in web-based email, disable images
> before reading email.

Not really an option with the webmail system without disabling it for the
browser as a whole.

> how do you know you're not deleting a contact from a potential client?

Because my mind has its own Bayesian (?) filter in it that can look at the
subject line and make an educated guess.  If any potential clients are going
to use subjects like "Add 2 inches" or "Hello pxthc" then I'll take that
risk.  If I have any doubt, that's when I save it for when I'm at home and
can look at the message source in Outlook Express without opening the mail

> i'd like to know why things like the following code snippet aren't being
> escaped in plain-text email so they don't get treated as html in a
> email.
> <script>
>   window.opener = self;
>   window.close();
> </script>

Again, it's not a problem for me in Outlook Express. It's only in the
webmail system.  Mind you, in the webmail system in question, often
questions that have things like < select> in the mail (even in the subject
line) can cause a select box to actually appear.

I didn't mean for this to be a big discussion on Scott Brady's e-mail
habits.  But, they make sense to me. I've toyed with various settings over
the past 6 months or so.  I used to use the preview pane in OE, and with
HTML e-mail that got annoying and hard to not open some spam e-mail at
times. So, I then went with reading messages only in plain text.  But, that
didn't work well with HTML e-mail messages either.  So, I've turned HTML
e-mail back on but turned off the preview pane.  And, that works pretty
well, because I know I can delete messages without opening them.

And, on the webmail system, I can go through and delete them there if I
want, as well.

The point of this thread was that some e-mail systems (particularly webmail
on CrystalTech) MIGHT actually run javascript code placed in e-mail, so it
might be a good idea to take that into account when including code.

Scott Brady
To: <thelist at lists.evolt.org>
Sent: Wednesday, July 02, 2003 6:42 PM
Subject: RE: [thelist] Putting code into e-mail

> scott,
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> > From: Scott Brady
> >
> > Because I generally don't trust e-mail (nor do I trust
> > strange web sites).  And, it's not just security issues
> > with JS.  If I don't trust the e-mail, I don't open it,
> > because it can be spam with web bugs in it.
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> > So, when I'm opening any e-mail, if I don't know the
> > source, I delete it.  [on a non-webmail system, I
> > right-click it and look at the headers to make sure
> > first].
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> > Since I inherently trust e-mail from [thelist], I tend
> > to not be concerned as much.
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> .jeff
> ------------------------------------------------------
> Jeff Howden - Web Application Specialist
> Résumé - http://jeffhowden.com/about/resume/
> Code Library - http://evolt.jeffhowden.com/jeff/code/
> -- 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> Evolt.org conference in London, July 25-27 2003.  Register today at
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list