I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.
This is what the message has to compose of
- A short subject to increase the ammount of code to run
- A short bit of text in the body so that the code isn't treated as quoted text
- And your code
My simple test was : Subject: a Body: asdfasdf<script>alert("asdF");</script>
Here is the screen: NOTE I JUST PUT IT BACK UP!
Last time I killed my friends server so I uploaded it to flickr instead.
This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.