[Dev] Re: [Design] Obvious Scripting Security Notes

Mike C. Fletcher mcfletch at rogers.com
Sun Nov 3 18:56:04 PST 2002

I have to jump in here as a design/visual person.  I use _images_ in 
HTML mail all the time when doing graphic design work.  For dealing with 
non-technical clients (i.e. those who have trouble opening an 
attachment) it is extremely useful to be able to send an HTML document 
with the image embedded.  Similarly, in small corporate environments 
I've used it to document new features as HTML email that serves as 
internal documentation (including screenshots, particularly). I've also 
seen it used for sending complex party invitations (embedded maps, 
little graphics/cartoons).  Lastly, I've seen it used as a 
document-sharing format that's easily received by most people in an 
internet-only group.

On the other hand, _code_ executed from a source unknown, is just a hole 
waiting to happen.  There's very little legitimate usage of it in email 
that I've seen.  I've seen our sysadmins use it once, but it seemed no 
more useful than if they'd put the page on a web-server and let people 
go there.  Javascript in email just isn't a need for most small 

Image loading from web-sites is probably desirable as an option disabled 
by default (that's primarily used for spam).  I've used it a few times 
for portfolio emails (with inclusions from my web-site), but it's not a 
common need AFAIK.

Enjoy all,

Wes Felter wrote:

>on 11/3/02 6:18 PM, Paul Snively at psnively at earthlink.net wrote:

>I tend to agree here. I've only seen two kinds of HTML email:
>* Simple HTML (no images, no JS) from people who are using OE with default
>* Hostile mail (spam, viruses, etc.)
>So based on these use cases, I see no need for JS support at all.
>I can imagine use cases for the "enterprise" market that would require JS,
>such as form-based workflow. But does that apply to Chandler?

  Mike C. Fletcher
  Designer, VR Plumber, Coder

More information about the Dev mailing list