6

I have seen claims that some email services mark emails with javascript as spam. But I have not seen mentioned that any sensible service would just optionally scrub any embedded javascript entirely while leaving html in place. Am I looking in the wrong place or is this feature in fact not yet implemented anywhere?

EndangeringSpecies
  • 633
  • 3
  • 9
  • 19

2 Answers2

8

Gmail strips out any content between <script> tags before displaying the message. If an e-mail has script tags in it it doesn't mean google will automatically mark it as spam but it could be one of the things that increases the chance.

Most web mail providers and email clients will (or should) do this to prevent against xss (cross-site scripting) attacks. Read more about these here.

Therefore there's no point in sending e-mails containing JavaScript (even if it does something useful) because it will almost certainly get blocked when the message is viewed and could contribute towards it getting marked as spam.

Tom Jenkinson
  • 312
  • 3
  • 6
  • 13
  • If I wanted to design a fully "light pattern" for "Unsubscribe" in an email newsletter, is it possible for HTML within an email to update in any way dependent on server-side data? I am guessing no, since ` – Will Ediger Dec 05 '20 at 22:16
2

I think Gmail is set up in such a way that javascript embedded in an email will never be executed, hence there's no need to actually remove it. I'm not entirely certain how that works but you can confirm it for yourself by embedding

<script type="text/javascript">
      alert(‘hello!’);
</script>

in an email and emailing it your gmail account - you won't see any popup dialogs when you open the email.

Henry Wilson
  • 121
  • 3
  • 1
    "is set up in such a way that javascript embedded in an email will never be executed" - this is a long-winded way to say "gmail removes – Ricardo Magalhães Cruz Feb 03 '18 at 21:14
  • 1
    Except it doesn't remove it from the email - the text is still present, it just doesn't execute it. – Henry Wilson Feb 07 '18 at 09:33
  • If you type an HTML tag (say, ""), then the brackets will be replaced by their escape codes ("<b>"). This has nothing to do with Javascript. If you try to embed Javascript into the HTML head, then it's removed. You cannot test this by using Gmail to send an email to yourself (as you suggested) because Gmail editor does not allow editing the HTML . – Ricardo Magalhães Cruz Feb 07 '18 at 12:04