[Rails] Re: Javascript call in mail Url

Ruby on Rails Thursday, July 31, 2014

Walter Davis wrote in post #1153927:
> On Jul 31, 2014, at 8:47 AM, Colin Law wrote:
> Also, if you expect a JavaScript to execute in a mail client (Outlook,
> Gmail, Mail.app) you will be waiting a very long time. That door is
> bolted securely shut for very good reason.

If I'm not mistaken this is also true for most web based mail apps
running in browsers. Running JavaScript from user provided input (i.e.
the HTML email body) would very much open up the email viewer page to
XSS attacks. I'm quite sure the web mail clients would aggressively
strip all JavaScript from the contents of the email.

--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/cef94a8a4ba524ad579826d7fccb3521%40ruby-forum.com.
For more options, visit https://groups.google.com/d/optout.

Posted by Ruby on Rails at 4:24 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)