« MSN Just Says No to Supporting Customers with LANs in their Homes | Main | Fast Company on the Trials and Tribulations of TiVo »

Yahoo! Mail Substituting Entire English Words in HTML Messages as a Security Measure

When we first read about this on Slashdot, we thought it might be an April Fool's Joke three and a half months late. But, believe it or not, Yahoo! Mail is changing the text of email messages sent to its subscribers in the HTML format. Need To Know, a UK-based web site, says:


In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a yahoo.com account, and your choice in coffee will be silently switched to "espresso"....

According to the document containing the full list of automagic Yahoo! replacements, "Yahoo's hack doesn't respect word boundaries: so evaluate would become
reviewuate, retrieval becomes retrireview."


Hey, we never said that the developers at CTDATA were the greatest programmers in the world, but even the regular expressions we write in our 0.1 code are less greedy than this. Maybe we should come up with a topic for "How Not to Do" something. Anybody got an idea for a "worst practices" icon?

Posted by Dave Aiello on July 15, 2002 9:10 PM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About CTDATA

CTDATA Venutures (CTDATA) develops Internet and Intranet applications for corporations and non profit organizations. Our services include:

  • Consulting services for Movable Type and TypePad-based publishing systems (visit our Weblog Improvement website for more information),
  • Financial services business process consulting,
  • Content management system and knowledge management system consulting,
  • Apache web server engineering and hosting,
  • MySQL, Sybase, and Microsoft SQL Server architecture and development,
  • SOAP, REST, and XML-RPC system architecture and programming, including Amazon Web Services and
  • Weblog publishing.
For more information, contact Dave Aiello by email at dave [at] daveaiello.com or call him at +1-267-352-4420.

CTDATA Services

Categories

Archives

Subscribe to this blog's feed
[What is this?]
Copyright © 1995-2010, CTDATA Ventures. All Rights Reserved.
Powered by
Movable Type 4.25