JavaScript and Emails

Two Men Studying in a Loft Studio Apartment
Cavan Images/Iconica/Getty Images

When writing an email the two main choices that you have are to write the email in plain text or to use HTML. With plain text all you can place in the email itself is text and anything else must be an attachment. With HTML in your email you can format the text, incorporate images and do most of the same things in the email that you can do in a web page.

As you can incorporate JavaScript into HTML in a web page, you can of course similarly incorporate JavaScript into HTML in an email.

Why then so we not see JavaScript used in HTML emails?

The answer to this relates to a fundamental difference between web pages and emails. With web pages it is the person browsing the web who decides which web pages that they visit. A person on the web is not going to visit pages that they believe may contain anything that might be harmful to their computer such as a virus. With emails it is the sender who has the most control over what emails are sent and the recipient has less control. The entire concept of spam filtering to try to strip out junk emails that are not wanted is one indication of this difference.Because emails that we don't want can get through our spam filter we want the emails that we do see to be made as harmless as we can make them just in case something destructive does get past our filter. Also while viruses can be attached to both emails and web pages, those in emails are far more common.

For this reason the vast majority of people have the security settings in their email program set much higher than they have set in their browser. This higher setting usually means that they have their email program set up to ignore any JavaScript that might be found in the email.

Of course the reason why most HTML emails don't contain JavaScript because they don't have any need for it.

Where there would be a use for JavaScript in an HTML email those who understand that JavaScript is disabled in most email programs will produce an alternative solution where the email links to a web page that contains the JavaScript.

There will only be two groups of people who place JavaScript into their emails - those who have not yet realised that the security settings in email programs are different from that in web pages so that their JavaScript isn't going to run and those who deliberately place JavaScript into their email so that it will automatically install a virus onto the computer of those few people who have the security settings in their browser misconfigured so that their JavaScript can run.