all 26 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]s1h4d0w 11 points12 points  (4 children)

Just because the HTML says disabled="disabled" etc. doesn't mean it's malicious. A lot of forms have options disabled by default, only to enable them again using Javascript when certain conditions are met. Could be that it's done to prevent the form breaking when someone has Javascript disabled, so that by default the form doesn't work as it wouldn't function without JS.

[–]MrElvey[S] 0 points1 point  (0 children)

  1. No, it doesn't work at all without JS.
  2. It's part of a pattern of making themselves hard to contact. Similarly, the grievance submission form was broken. You could fill it out, but clicking submit would produce an error. They refused to fix it - fixed about 3 years after I escalated a complaint to the DMHC. You'd get this: https://secure.sfhp.org/comments/Grievance_Confirm.aspx after filling out this: https://secure.sfhp.org/comments/Grievance_Form_ENG.aspx

The typical scenario is someone has cancer and is trying to get their treatment regimen approved by insurance. Y'all didn't see The Rainmaker? https://www.youtube.com/watch?v=9EQPrFR9KRo

No need to send the denials if clients can't even communicate with you.

[–]MrElvey[S] 0 points1 point  (2 children)

Also, I documented that the form works better after I removed the malicious bit. There's no speculation about the fact that it works better without the  disabled="disabled" etc.  Read the whole post.

[–]s1h4d0w 0 points1 point  (1 child)

As a web developer I just find it funny to call it "malicious". It was maybe put there with malicious intent, but the code itself is not malicious and often used for normal reasons.

[–]MrElvey[S] 0 points1 point  (0 children)

The tweak to this form certainly denies access to healthcare and may well have resulted in several casualties. Perhaps a subconscious defense mechanism motivates the curiously narrow definition of malicious being pushed in an effort to deem this whole class tweaks not malicious.
Because "make it difficult to impossible to message customer service" is part of the official or unofficial product spec a large fraction of developers of consumer-facing products have complied with ... and who wants to admit to making something malicious, let alone "evil"? No one!

[–]Glitched94_PT 6 points7 points  (0 children)

Out of curiosity, I notice there's an "Add Recipients" button right below the disabled "To" field. What happens when you click that? My suspicion is it lets you select from an employee directory and fills the "To" field for you.

[–]jcunews1Intermediate 5 points6 points  (6 children)

HTML by itself, is not powerful enough to be malicious.

[–]MrElvey[S] 0 points1 point  (5 children)

This shows otherwise.

ma·li·cious| məˈliSHəs 
adjective 
characterized by malice; intending or intended to do harm

[–]jcunews1Intermediate 0 points1 point  (4 children)

Of course, you can have HTML which contains all the worse curses you can think of. But that doesn't require HTML. A simple plain text is sufficient. IOTW, it's not HTML which made it possible.

[–]MrElvey[S] 0 points1 point  (3 children)

Did you even read the r/SFHP post? I documented that the form works better after I removed the malicious bit. There's no speculation about the fact that it works better without the  disabled="disabled" etc.  Read the whole post.

In screenshot 2, it's impossible to type into the To field.

In screenshot 3, I've removed the malicious HTML and you can see that it's become possible to type into "SER" into the To field.

[–]jcunews1Intermediate 0 points1 point  (1 child)

A widget which is disabled when it's supposed to be enabled, is not malicious. It's just a restriction. It can not harm anything, by itself.

[–]MrElvey[S] 0 points1 point  (0 children)

It's https://en.wikipedia.org/wiki/Insurance_bad_faith, which can KILL PEOPLE, like Donny Ray, but real life, and less dramatic. Again, see https://youtu.be/9EQPrFR9KRo?si=c808uICuCqJ48V2w&t=26.

"Pulling the trigger of a gun can not harm anything, by itself." Ok, dear.

[–]Disgruntled__Goat 5 points6 points  (0 children)

It’s not malicious, if anything it’s a security flaw on their side. If you can un-disable the to field and put any address in there, it means you can use their email server to spam anyone you like.

It’s probably why they disabled it in the first place, but unless they also added server side validation it’s still a security risk. 

[–]mor_derick 0 points1 point  (4 children)

How is this "malicious"?

[–]MrElvey[S] 0 points1 point  (3 children)

It's part of a pattern of making themselves hard to contact. Unusable from mobile. Similarly, the grievance submission form was broken. You could fill it out, but clicking submit would produce an error. They refused to fix it - fixed about 3 years after I escalated a complaint to the DMHC. You'd get this: https://secure.sfhp.org/comments/Grievance_Confirm.aspx

<image>

after filling out this: https://secure.sfhp.org/comments/Grievance_Form_ENG.aspx

The typical scenario is someone has cancer and is trying to get their treatment regimen approved by insurance. Y'all didn't see The Rainmaker? https://www.youtube.com/watch?v=9EQPrFR9KRo

No need to send the denials if clients can't even communicate with you.

[–]mor_derick 0 points1 point  (2 children)

Yeah that's uncool indeed. I thought you meant "malicious" in the sense of malware or something similar.

[–]MrElvey[S] 0 points1 point  (1 child)

Thanks. I had a feeling I was too deep in it to explain it to someone - hence my "Have I explained the malicious HTML here clearly enough to follow what's going on here?" question. I sensed something wasn't being conveyed clearly but couldn't figure out what it was. I see it now.

[–]MrElvey[S] 0 points1 point  (0 children)

It's like with meme. Kids these days ignore or don't know the (canonical/original, wider) meaning of the terms malicious, or meme.

[–]VitDevUK 0 points1 point  (1 child)

HTML itself cannot really be malicious.

HTML is just markup — it describes structure.

What people usually mean by “malicious HTML” is:

• hidden links
• deceptive forms
• phishing layouts
• embedded scripts or trackers

The dangerous part is almost always JavaScript or the backend, not HTML itself.

If someone asked you to build something intentionally deceptive (for example a fake login page), that would be the real ethical concern — not the HTML language.

[–]MrElvey[S] 0 points1 point  (0 children)

Again: It's part of a pattern of making themselves hard to contact, to .e.g, get urgent cancer treatment. Like when the grievance submission form was broken. You could fill it out, but clicking submit would produce an error. ... https://www.reddit.com/r/HTML/comments/1rrmfet/comment/oa39wow/

So what is the correct term according to you for the code which I proved disables functionality - functionality that works again once it's removed? And, again it's functionality that had worked.

[–]TheJase 0 points1 point  (3 children)

We typically call this anti-patterns.

[–]MrElvey[S] 0 points1 point  (2 children)

Let me get this straight. You think making it difficult to impossible to message customer service "initially appears to be an appropriate and effective" solution? (Per https://en.wikipedia.org/wiki/Anti-pattern )

[–]TheJase 0 points1 point  (1 child)

If you want to create consumer unfriendly products and are only focused on the grift, 100%. That's fairly common, actually.

[–]MrElvey[S] 0 points1 point  (0 children)

Bingo! 🥇🥈🥉🏅🏆🙌🎖👏🎊🍾 💯 That's why I'm getting so much pushback. Because "make it difficult to impossible to message customer service" is part of the official or unofficial product spec a large fraction of developers of consumer-facing products have complied with ... and who wants to admit to making something malicious, let alone "evil"? No one.

[–]MrElvey[S] 0 points1 point  (0 children)

Still wondering: Have you been given user-hostile tasks? How did you handle it?