« Recent Posts / Ignore Boards
"Username does not exist" warning
This would be an interesting feature :) »

PantsManUK

  • We-Gen
  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: "Username does not exist" warning
« Reply #15 on March 23rd, 2012, 03:13 PM »
Personally, I would want the security; don't divulge any information at login other than "one or both of the things you entered is wrong". The forgotten login details process can (and would) be more specific, and would necessarily "leak" if an email address is associated with an account on the forum.
« What is this thing you hoomans call "Facebook"? »

Nao

  • With a Box
  • If you say so.....
  • Posts: 12,894
Re:
« Reply #16 on March 23rd, 2012, 03:53 PM »
Quote from Arantor on March 23rd, 2012, 02:35 PM
I don't recall SMF adding slashes there...
Make sure to check Post.php out when you have some time to look into rev 1503 ;)
SMF does it in two passes: htmlspecialchars, then addcslashes.
Wedge retains the addcslashes. I also forgot to mention that in the situation where you're editing a draft, it will then reset the subject (protection-free?) after the addcslashes (now str_replace). It's at Post.php:1024 if you're interested. It also does an un_htmlspecialchars on the message body... The code block also has a //!! in it, so I suspect you stopped working on it in the middle.

Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
...« I say wedge wedge (in the butt) »
 « Everyone knows rock attained perfection in 1974. It's a scientific fact. » (Homer Simpson)

oOo--STAR--oOo

  • Freshman
  • @Arantor Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time
  • Posts: 43
Re: "Username does not exist" warning
« Reply #17 on March 23rd, 2012, 04:45 PM »
Nice Project. I would love to see the outcome of this.
I think user feedback is great for those who rarely use a computer.

So I think they should be prompted if the username is invalid.
I think it really does depend on the type of website and user base.
It wouldn't hurt to allow the user using wedge to choose how he wishes to notify incorrect logins.

I would love to get involved with this sometime ;) I am full of ideas and creations XD

Arantor

  • With a Box
  • As long as the planets are turning, as long as the stars are burning, as long as your dreams are coming true...
  • Posts: 13,600
Re:
« Reply #18 on March 23rd, 2012, 04:50 PM »
Quote
Make sure to check Post.php out when you have some time to look into rev 1503
I will do that. I really don't remember it adding slashes. The reason I'm so surprised by it is that when I wrote SimpleDesk, I went over the process very thoroughly and I never added slashes myself.
Quote
I also forgot to mention that in the situation where you're editing a draft, it will then reset the subject (protection-free?) after the addcslashes (now str_replace).
That's sort of how I implemented it. The drafts don't need to have the same level of protection that normal posts do, just enough to prevent XSS injections.
Quote
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
That's a bug. It should still pick up on the topic, even if it's in a different board. Missing board, on the other hand, is known to cause problems at the present time.
Quote
It wouldn't hurt to allow the user using wedge to choose how he wishes to notify incorrect logins.
Interesting approach.
Quote
I would love to get involved with this sometime ;) I am full of ideas and creations XD
Please do share your ideas in the forum here. I can't promise we'll implement them, but we'll certainly read and consider them.
  When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest.

Nao

  • With a Box
  • If you say so.....
  • Posts: 12,894
Re:
« Reply #19 on March 23rd, 2012, 05:16 PM »
Quote from Arantor on March 23rd, 2012, 04:50 PM
Quote
Make sure to check Post.php out when you have some time to look into rev 1503
I will do that. I really don't remember it adding slashes.
No, you didn't. That's the point. The draft code doesn't do it, when I think it should turn quotes to their entity equivalent (quot). As for the addcslashes() call, it was added by SMF, not by you. We just never noticed the bug because we don't often have double quotes in topic titles, and the error only shows up when replying.
Quote
That's sort of how I implemented it. The drafts don't need to have the same level of protection that normal posts do, just enough to prevent XSS injections.
But they'll still show double quotes in the subject... Unless you already protected them at auto-save time?
Quote
Quote
Oh, and another bug: if a topic is moved (not deleted!) while writing a draft, the draft only offers to create a new topic.
That's a bug. It should still pick up on the topic, even if it's in a different board. Missing board, on the other hand, is known to cause problems at the present time.
Will you think of fixing this, too?
...« I say wedge wedge (in the butt) »
 « Everyone knows rock attained perfection in 1974. It's a scientific fact. » (Homer Simpson)

Arantor

  • With a Box
  • As long as the planets are turning, as long as the stars are burning, as long as your dreams are coming true...
  • Posts: 13,600
Re:
« Reply #20 on March 24th, 2012, 06:23 PM »
The draft code should at least preparse, though, right? As far as I remember, it should htmlspecialchars and preparsecode, like the post code flow, which would handle the quot conversion.

I will, once I get everything set up, investigate this thoroughly - but I still don't remember even SMF doing addslashes anywhere, because there is absolutely no reason for it to do so.
  When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest.

Nao

  • With a Box
  • If you say so.....
  • Posts: 12,894
Re:
« Reply #21 on March 24th, 2012, 06:35 PM »
Quote from Arantor on March 24th, 2012, 06:23 PM
The draft code should at least preparse, though, right?
I don't know. I guess then that it would need to be un_htmlspecialchar'ed or something when retrieved from the DB...?
Quote
I will, once I get everything set up, investigate this thoroughly - but I still don't remember even SMF doing addslashes anywhere, because there is absolutely no reason for it to do so.
Just look at the latest commits that removed it ;)
...« I say wedge wedge (in the butt) »
 « Everyone knows rock attained perfection in 1974. It's a scientific fact. » (Homer Simpson)
« Recent Posts / Ignore Boards
This would be an interesting feature :) »