HTML 'Form' in the body of email does not 'Submit' inputs, with either GET or POST
Hey all, I don't know if this is a feature request, a bug, or just a known limitation...
I have a system that sends out an email. In that email is an HTML Form, with a number of hidden inputs. The end result is only 2 buttons that the user can press, "Yes" or "No". (These emails are only going to users of the system - employees of the company; it's not spam/malware/etc.)
<form method="get" action="https://www.server.com/forms/ResponseProcessing.php"> <input type="hidden" name="AnID" value="215101883943342"> <input type="hidden" name="IntID" value="81239434-78B5-4334-BA0B-17D4AA00A832"> <input type="hidden" name="UserID" value="41276"> <input type="hidden" name="Name" value="Test Name" > <input type="hidden" name="Location" value="Testing Site"> <button type="submit" name="Outcome" value="Yes" > Yes </button> <button type="submit" name="Outcome" value="No" > No </button> </form>
It is supposed to call a PHP file that is hosted, and pass in the information along with their Yes/No response. However, when I use Thunderbird to view the email and click a button, none of the hidden elements, nor the button itself, are showing up in the PHP file - the $_GET and $_POST arrays are completely empty.
When I view the exact same email via a webmail interface (provided by the email provider that hosts our email addresses), I get a full set of information for both GET or POST versions.
What is the restriction here - Thunderbird?
Thanks.
Chosen solution
Thunderbird does not do scripting in emails. It is a serious security risk. Apparently it does not do forms for the same reason. https://bugzilla.mozilla.org/show_bug.cgi?id=533545#c76
Read this answer in context 👍 1All Replies (4)
Chosen Solution
Thunderbird does not do scripting in emails. It is a serious security risk. Apparently it does not do forms for the same reason. https://bugzilla.mozilla.org/show_bug.cgi?id=533545#c76
Thanks for finding that and providing the context. Sounds like something of a contentious issue - back in the day. And since it hasn't been addressed in the intervening 7 years, I doubt that it will ever get 'fixed' - depending on whether or not you agree with the conclusion to not fix it.
I would like to know how filling in a form on Thunderbird is more of a security risk than filling in a form in FireFox?
In practice the OP requirement can be achieved by placing two <a> tags in the email. To each can be attached, effectively as GET responses, the necessary identification info plus a field indicating the button pressed. I won't repeat all those given above but something like
<A href="https://www.server.com/forms/Response.php?UserID=1234&QuestionID=12&Answer=Yes>
and of course
<A href="https://www.server.com/forms/Response.php?UserID=1234&QuestionID=12&Answer=No>
(the & are converted to & during transmission)
In practice I place the calls in a coloured ..... to give the user something to click.
It would be useful if Thunderbird could handle a full form so that multiple questions could be asked with just one Submit button and of course just one jump out of Thunderbird into Fire Fox to handle the response. Why? because many users will not click a link to a seperate online form.
The OP is correct in that eg GMAIL will handle a full form <form>, so come on Thunderbird - Catchup.
Modified by GEMSYS
GEMSYS said
I would like to know how filling in a form on Thunderbird is more of a security risk than filling in a form in FireFox?
I suggest you read the bug. But Thunderbird is not inherently a web browser, so your comparison is like a bicycle and a jet aircraft. Both carry paper mail, but about there the similarity ends. Likewise a mail client is not the same thing as a web page in a browser displaying mail mail.
The OP is correct in that eg GMAIL will handle a full form <form>, so come on Thunderbird - Catchup.
If you don't grasp the concept of a web browser (gmail) being different to a desktop mail client (Thunderbird) then I suppose you would see it as a catch up thing.