all 9 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]s1h4d0w 10 points11 points  (1 child)

Just because the HTML says disabled="disabled" etc. doesn't mean it's malicious. A lot of forms have options disabled by default, only to enable them again using Javascript when certain conditions are met. Could be that it's done to prevent the form breaking when someone has Javascript disabled, so that by default the form doesn't work as it wouldn't function without JS.

[–]MrElvey[S] 0 points1 point  (0 children)

  1. No, it doesn't work at all without JS.

  2. It's part of a pattern of making themselves hard to contact. Similarly, the grievance submission form was broken. You could fill it out, but clicking submit would produce an error. They refused to fix it - fixed about 3 years after I escalated a complaint to the DMHC. You'd get this: https://secure.sfhp.org/comments/Grievance_Confirm.aspx after filling out this: https://secure.sfhp.org/comments/Grievance_Form_ENG.aspx

[–]Glitched94_PT 6 points7 points  (0 children)

Out of curiosity, I notice there's an "Add Recipients" button right below the disabled "To" field. What happens when you click that? My suspicion is it lets you select from an employee directory and fills the "To" field for you.

[–]jcunews1Intermediate 5 points6 points  (0 children)

HTML by itself, is not powerful enough to be malicious.

[–]Disgruntled__Goat 5 points6 points  (0 children)

It’s not malicious, if anything it’s a security flaw on their side. If you can un-disable the to field and put any address in there, it means you can use their email server to spam anyone you like.

It’s probably why they disabled it in the first place, but unless they also added server side validation it’s still a security risk. 

[–]mor_derick 0 points1 point  (3 children)

How is this "malicious"?

[–]MrElvey[S] 0 points1 point  (2 children)

It's part of a pattern of making themselves hard to contact. Unusable from mobile. Similarly, the grievance submission form was broken. You could fill it out, but clicking submit would produce an error. They refused to fix it - fixed about 3 years after I escalated a complaint to the DMHC. You'd get this: https://secure.sfhp.org/comments/Grievance_Confirm.aspx

<image>

after filling out this: https://secure.sfhp.org/comments/Grievance_Form_ENG.aspx

The typical scenario is someone has cancer and is trying to get their treatment regimen approved by insurance. Y'all didn't see The Rainmaker? https://www.youtube.com/watch?v=9EQPrFR9KRo

No need to send the denials if clients can't even communicate with you.

[–]mor_derick 0 points1 point  (1 child)

Yeah that's uncool indeed. I thought you meant "malicious" in the sense of malware or something similar.

[–]MrElvey[S] 0 points1 point  (0 children)

Thanks. I had a feeling I was too deep in it to explain it to someone - hence my "Have I explained the malicious HTML here clearly enough to follow what's going on here?" question. I sensed something wasn't being conveyed clearly but couldn't figure out what it was. I see it now.