does Gmail or any other popular webmail service scrub javascript from html emails? if not, any reason why?

email gmail javascript webmail

11,555

Solution 1

Gmail strips out any content between <script> tags before displaying the message. If an e-mail has script tags in it it doesn't mean google will automatically mark it as spam but it could be one of the things that increases the chance.

Most web mail providers and email clients will (or should) do this to prevent against xss (cross-site scripting) attacks. Read more about these here.

Therefore there's no point in sending e-mails containing JavaScript (even if it does something useful) because it will almost certainly get blocked when the message is viewed and could contribute towards it getting marked as spam.

Solution 2

I think Gmail is set up in such a way that javascript embedded in an email will never be executed, hence there's no need to actually remove it. I'm not entirely certain how that works but you can confirm it for yourself by embedding

<script type="text/javascript">
      alert(‘hello!’);
</script>

in an email and emailing it your gmail account - you won't see any popup dialogs when you open the email.

11,555

Author by

stark

Updated on September 18, 2022

Comments

stark almost 2 years

I have seen claims that some email services mark emails with javascript as spam. But I have not seen mentioned that any sensible service would just optionally scrub any embedded javascript entirely while leaving html in place. Am I looking in the wrong place or is this feature in fact not yet implemented anywhere?
Ricardo Magalhães Cruz over 6 years

"is set up in such a way that javascript embedded in an email will never be executed" - this is a long-winded way to say "gmail removes <script> content" :)
svoruganti over 6 years

Except it doesn't remove it from the email - the text is still present, it just doesn't execute it.
Ricardo Magalhães Cruz over 6 years

If you type an HTML tag (say, "<b>"), then the brackets will be replaced by their escape codes ("<b>"). This has nothing to do with Javascript. If you try to embed Javascript into the HTML head, then it's removed. You cannot test this by using Gmail to send an email to yourself (as you suggested) because Gmail editor does not allow editing the HTML <head>.
Will Ediger over 3 years

If I wanted to design a fully "light pattern" for "Unsubscribe" in an email newsletter, is it possible for HTML within an email to update in any way dependent on server-side data? I am guessing no, since <script> tags are stripped. What I would want is a button that simply says "Unsubscribe", and after it has been clicked, and the server has received it, the button would update to some kind of clear message of "Unsubscribed Successfully". Obviously I would like to research what message is most effective at quickly communicating to the user that they're unsubbed, maybe using ✔️ also.