Buggy Feed links

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Buggy Feed links
« Reply #30, on April 18th, 2012, 07:32 PM »
Quote
We should always sanitize $_GET anyway. Just assume that ; is always used to separate stuff. Which is the case, anyway...
Occasionally though, SMF uses '&', as in the SID injector, and I don't know what it's there for. I'm assuming this is to 'emulate' enable_trans_sid being set to 1. Because I guess some servers won't allow you to use ini_set, if it's at 1, then it automatically injects & at the end of the SID and then you end up with two different URL styles to deal with -- ?PHPSESSID=...; and ?PHPSESSID=...& -- so they chose to inject & and deal with it later (which I don't believe they do...)
I for one couldn't care less about that, but I suppose we should deal with it overall?
We always do sanitise $_GET, and we do always assume that ; is used to separate stuff, as noted.

Yes, & is passed into SID, and I think you're probably right that it is related to handling enable_trans_sid.

Dealing with it is the big problem. How, exactly, do we proceed? I'm in no doubt the current situation is not ideal. But I'm not sure the other situations are any better either.
Quote
I hope you liked the name I chose for the setting :lol:
Although I'm never one to refuse SID! But only if it's C64-related
I haven't actually looked, been too busy to properly keep up with all the code changes :/
Quote
The same could be said of a session ID. If I have my forum running on 3 different browsers, should Wedge say I have 3 users online...? For debugging purpose it's fine. What about Googlebot? Sometimes you get many requests from the same IP IIRC. Because they're all using different sessions, Wedge considers them as multiple bots. I for one would rather see it recognized as a single 'user'.
If you have your forum running on three different browsers, it depends whether you're logged in or not. If you're logged in, you should be able to have three sessions but only the one online user. But if they're not all logged in, it is different users per se, and I'd argue that's more accurate because they're three separate experiences of browsing the site.

If you have two different sessions from Google, that's two different bots browsing, and should be reflected as such, despite maybe coming from separate - or the same - IP addresses. Here's the thing, even now you cannot rely on an IP address being reflective of a single bot.

Two bots from Google browsing, with two sessions, will typically have two IP addresses. Though it won't always be that way.
Quote
It should always be there in homepage links (index.php). And never elsewhere.
I was going off the feed validation I ran, I forget exactly what was, and what wasn't, broken
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial