Re: [Rails] Javascript call in mail Url

Ruby on Rails Thursday, July 31, 2014

On Jul 31, 2014, at 7:24 PM, Robert Walker wrote:

> Walter Davis wrote in post #1153927:
>> On Jul 31, 2014, at 8:47 AM, Colin Law wrote:
>> Also, if you expect a JavaScript to execute in a mail client (Outlook,
>> Gmail, Mail.app) you will be waiting a very long time. That door is
>> bolted securely shut for very good reason.
>
> If I'm not mistaken this is also true for most web based mail apps
> running in browsers. Running JavaScript from user provided input (i.e.
> the HTML email body) would very much open up the email viewer page to
> XSS attacks. I'm quite sure the web mail clients would aggressively
> strip all JavaScript from the contents of the email.

That's what I meant by adding Gmail in there. I forgot about the native Gmail client on iOS, so that was ambiguous. This goes all the way back to Hotmail before MS bought it. Even though the browser can run JS, they would be mad to let you do that to yourself without really aggressive sanitization.

Walter

>
> --
> Posted via http://www.ruby-forum.com/.
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/cef94a8a4ba524ad579826d7fccb3521%40ruby-forum.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/C789E29F-DFF0-4040-9F12-4CCD3944793C%40wdstudio.com.
For more options, visit https://groups.google.com/d/optout.

Posted by Ruby on Rails at 7:21 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)