Hacker News new | comments | ask | show | jobs | submit login

> Peeking at the above raw email we notice that the HTML is not properly being escaped.

While I don't believe the author is mistaken that he successfully injected HTML into the email, the email snippet quoted in the article is properly escaped, because none is needed, because the email is not HTML:

  Content-Type: text/plain; charset=UTF-8
  Content-Transfer-Encoding: 8bit

  [ snip ]
  <h1>Injection Test</h1>
  <pre>This order was placed by</pre>
This is correct for plain text as <h1> has no special meaning. That said, this is a multipart/alternative email:

  Content-Type: multipart/alternative; boundary="(AlternativeBoundary)"
"multipart" meaning the email contains multiple parts, "alternative" indicating that they're the same semantic things, but alternate representations of it. We're looking at the plain text representation, when we should be looking at the HTML representation.

(These are so email clients that don't support HTML — or are configured to ignore — can fall back on something.)

Oops you're right, I snipped the wrote part of the actual email I received. There's an HTML block below the text/plain block :) nice catch! I'll update it shortly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact