Send non executable script in body by mailto:

I want to prepare an email to send with mailto: This email contains a few words and a js script. This script does not need to be executed. It’s just for the receiver to copy and paste.

The script :

<script id="myID">var script = document.createElement("script");script.src="script-to-inject.js?id=myID&type=0&name=Name&size=120";document.head.appendChild(script); </script>

And my mailto:

window.location.href = "mailto:"+email+"?subject="+subject+"&body=FewWords"+ script;

When my mail isopen i have something like that :

<script id="myID">var script = document.createElement("script");script.src="script-to-inject.js?id=myID

The end of the script does not appear (after the first &)

How can i fix this ? Thanks !

Answer

You need to be escaping email, subject, and script properly when setting the href attribute. What if these variables contain the & or the = characters? You can see how this would get misinterpreted.

Try this:

window.location.href = "mailto:"
  + encodeURIComponent(email)
  + "?subject="
  + encodeURIComponent(subject)
  + "&body=FewWords"
  + encodeURIComponent(script);

(I’m not sure that you can pass HTML in the body parameter, by the way, it might get interpreted as plain text.)

You can also use URLSearchParams:

const params = new URLSearchParams();
params.append('subject', subject);
params.append('body', 'FewWords' + script);
window.location.href = 'mailto:' + encodeURIComponent(email) + '?' + params.toString();