Yahoo Answers is shutting down on May 4th, 2021 (Eastern Time) and the Yahoo Answers website is now in read-only mode. There will be no changes to other Yahoo properties or services, or your Yahoo account. You can find more information about the Yahoo Answers shutdown and how to download your data on this help page.

Trending News

Promoted
shalf
Lv 6
shalf asked in Yahoo ProductsYahoo MailNotices and Errors · 8 years ago

Why are email subject fields interpreted as HTML?

I sent an email to my Yahoo Mail account where I had written three HTML numeric character references into the subject field:

http://www.flickr.com/photos/shalf/10272802443/in/...

Two of the three were correctly displayed as plain text, but the apostrophe got interpreted as an apostrophe:

http://www.flickr.com/photos/shalf/10272690926/in/...

This is mysterious behavior, but also symptomatic of a very bad possibility that other HTML could be exploited in the message subject line.

Of note, Yahoo Mail Basic gets it right:

http://www.flickr.com/photos/shalf/10273191846/in/...

And the View Full Headers mode of Basic gets it wrong in all three cases!!!

http://www.flickr.com/photos/shalf/10273207675/in/...

Related issues: The view full headers feature appears to be missing/broken in Yahoo Mail fully featured. Also, I tried to report this via the Feedback Forum, but found that it would not allow me to post a new topic.

Update:

I forgot to check earlier, but the "View Full Header" option (in the "More" menu, under the message body) also gets it right: all three numeric encodings are shown as plain text (with the ampersand through semicolon showing), just like the Mail Basic page.

Also, the Inbox listing of the messages shows the three encodings correctly, unlike the message when one opens it.

Fortunately it does not appear that

Update 2:

... less than is mishandled in any of the above places, so it is not as likely that this bug could be used for an exploit (I think).

If anyone's paying attention, the less than symbol (you know, left angle bracket, the HTML tag lead-in character) caused my previous edit here to get truncated, so I guess Answers is not very robust against user text either. But that's a whole other topic.

Update 3:

Hi Darcy, thanks for the link to the uservoice report but it is the flip side of the coin -- it tells of apostrophes typed to Yahoo Mail's compose dialog being converted to HTML character references in the sent mail.

What I'm reporting is those references in mail received being converted back to apostrophes. The bug I'm reporting kind of hides the bug they are tracking, but two wrongs don't make a right!

Update 4:

I've added it to the Feedback forum now:

http://yahoo.uservoice.com/forums/210695/suggestio...

1 Answer

Relevance
  • ?
    Lv 7
    8 years ago
    Favorite Answer

    This is an issue we are actively investigating and we are working very hard to resolve! For the most up-to-date information about this issue, please have refer to the following page:

    http://yahoo.uservoice.com/forums/210695-yahoo-mai...

    I appreciate your patience while we correct the issue and I apologize for any inconvenience!

    Darcy at Yahoo Community Support

    Interested in finding out about the vibrant changes to Yahoo Mail? Have a look in Yahoo Help’s “Overview of Yahoo Mail” and be prepared to be inspired! Learn more at:

    http://help.yahoo.com/kb/index?page=content&id=SLN...

Still have questions? Get your answers by asking now.