Yahoo! Mail Substituting Entire English Words in HTML Messages as a Security Measure
When we first read about this on Slashdot, we thought it might be an April Fool's Joke three and a half months late. But, believe it or not, Yahoo! Mail is changing the text of email messages sent to its subscribers in the HTML format. Need To Know, a UK-based web site, says:
In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a yahoo.com account, and your choice in coffee will be silently switched to "espresso"....
According to the document containing the full list of automagic Yahoo! replacements, "Yahoo's hack doesn't respect word boundaries: so evaluate would become
reviewuate, retrieval becomes retrireview."
Hey, we never said that the developers at CTDATA were the greatest programmers in the world, but even the regular expressions we write in our 0.1 code are less greedy than this. Maybe we should come up with a topic for "How Not to Do" something. Anybody got an idea for a "worst practices" icon?