Yahoo bans HTML email text with Javascript tags
jacobs
jacobs at students.uiuc.edu
Mon Jul 15 12:44:47 EDT 2002
This may (or may not) change cNet's review of yahoo. Read the story below
from the Risks Digest (http://catless.ncl.ac.uk/Risks):
<snip>
Yahoo's been busy instead with fiddling its own
users' private correspondence. In a fantastically clumsy
attempt to prevent cross-site scripting attacks, the free
e-mail wing of the sprawling giant has long been replacing
complete English words in the text of HTML mail sent to its
users. Mention "mocha" in an HTML mail to a friend with a
@yahoo.com account, and your choice in coffee will be
silently switched to "espresso". Talk about "free
expression", and your recipient will think you said "free
statement". Here's the full list of swaperoos:
http://www.ntk.net/2002/07/12/yahoo.txt
- try not to mail it to your friends
This fiddling has been going on now for over a year year
(the ever vigilant RISKS digest noted it back in March
2001). But because of Yahoo's underhand methods, very few
people have spotted the turnabout - certainly far fewer than
if Yahoo had done the sensible thing and, say, "**"'ed out
the vowels in the word, or, God forbid, written a smarter
parser. But the sneakier you are, the wider the damage
spreads. The word "medieval" (since it contains the
javascript command "eval") is converted in Yahoo mail to
"medireview". Google now shows over 640 sites (and 1,150
separate instances) of the word "medireview" being used as a
synonym for medieval. University papers, bibliographies and
book reviews, Indian newspaper columnists, and endless
enthusiast sites drop it unseen into texts. People have
begun to ask where it originally came from, and does it have
a subtler meaning beyond "medieval"? Is Yahoo ever going to
fix its filters? Or is it time we pushed to get the first
regexp-obfuscated word into the Oxford English Dictionary?
http://catless.ncl.ac.uk/Risks/21.34.html
- does anyone still at Yahoo even know how to turn it off?
http://www.google.com/search?q=medireview
- NTK now entirely filled with google links
</snip>
Regards,
James Jacobs
**********************************************************
James R. Jacobs
Education & Social Science Library
University of Illinois Urbana-Champaign
Home: 303B1 Paddock Drive
Savoy, IL 61874
(217)359-9283
radlib at ucimc.org
http:radicallibrarian.org
http://ucimc.org/library
**********************************************************
Information is the currency of democracy. -- Thomas Jefferson
**********************************************************
(\
{|||8-
(/
More information about the Web4lib
mailing list