Hi,
All Javascript inside of <script> tags are removed when displaying a message. This alert though can depend on things outside of Gossamer Mail. For instance, if you have a feedback form that displays what the user entered without html escaping it, then they could submit a request to that script and run javascript.
Everything Gossamer Mail outputs is by default HTML escaped, so I don't think you would find a hole like that inside Gossamer Mail.
I'll investigate this further to make sure though.
Cheers,
Alex
--
Gossamer Threads Inc.
All Javascript inside of <script> tags are removed when displaying a message. This alert though can depend on things outside of Gossamer Mail. For instance, if you have a feedback form that displays what the user entered without html escaping it, then they could submit a request to that script and run javascript.
Everything Gossamer Mail outputs is by default HTML escaped, so I don't think you would find a hole like that inside Gossamer Mail.
I'll investigate this further to make sure though.
Cheers,
Alex
--
Gossamer Threads Inc.