[Mimedefang] javascript in address header
Joseph Brennan
brennan at columbia.edu
Wed Mar 20 15:51:45 EDT 2013
Ever see one of these?--
To: Joe B <jb51 at columbia.edu<javascript:_e({},
'cvml','jb51 at columbia.edu');>>
I changed the name and address, but otherwise this is what someone on Gmail
sent to a user here. The envelope RCPT was evidently normal, as logged by
sendmail, but when we re-sent it to an Exchange system (still with a normal
RCPT), Exchange rejected the header.
This
<http://stackoverflow.com/questions/14662296/javascript-cvml-in-an-email-address>
gives a too-brief explanation of what it is.
It wouldn't be hard to remove with MimeDefang. I cannot find an example in
my own voluminous mail from Gmail users, which has me wondering how rare it
is. I wonder whether any email client would run javascript in a header line
anyway. I'm considering writing it off as one weird case.
Joseph Brennan
Columbia University Information Technology
More information about the MIMEDefang
mailing list