View Issue Details

IDProjectCategoryView StatusLast Update
0009031mantisbtfeaturepublic2008-04-03 23:02
Reporterocto Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version1.1.1 
Target VersionFixed in Version 
Summary0009031: [PATCH] Make mailto:-HREFs in bug notes configurable
Description

I noticed that email addresses are turned into mailto: links, regardless of the `show_user_email_threshold' setting, even for the anonymous user (viewer access rights).

The attached patch introduces a new configuration option, `mailto_markup_threshold', which can be used to set an access right. If the user has at least this level, email addresses are converted to links as it was the case thus far. If the user does not have the required right, the address is obfuscated by inserting

span style="display: none;">nospam$t_random.</span>
after the at-sign. $t_random holds a random number. CSS2 compliant browsers will display the email address normally, but address harvesting bots should have a hard time recognizing that the middle part is garbage - even if they strip HTML tags..

Tagspatch

Activities

2008-04-03 12:13

 

mantis-1.1.1-mailto_markup_threshold.patch (1,435 bytes)
diff -pur mantis-1.1.1.orig/config_defaults_inc.php mantis-1.1.1.octo/config_defaults_inc.php
--- mantis-1.1.1.orig/config_defaults_inc.php	2008-01-16 23:16:24.000000000 +0100
+++ mantis-1.1.1.octo/config_defaults_inc.php	2008-03-30 17:59:44.000000000 +0200
@@ -306,6 +306,7 @@
 
 	# This specifies the access level that is needed to get the mailto: links.
 	$g_show_user_email_threshold = NOBODY;
+	$g_mailto_markup_threshold = NOBODY;
 
 	# If use_x_priority is set to ON, what should the value be?
 	# Urgent = 1, Not Urgent = 5, Disable = 0
diff -pur mantis-1.1.1.orig/core/string_api.php mantis-1.1.1.octo/core/string_api.php
--- mantis-1.1.1.orig/core/string_api.php	2007-12-10 01:22:38.000000000 +0100
+++ mantis-1.1.1.octo/core/string_api.php	2008-03-30 18:15:04.000000000 +0200
@@ -399,9 +399,17 @@
 			ini_set( 'magic_quotes_sybase', true );
 		}
 
-		$p_string = preg_replace( '/\b' . email_regex_simple() . '\b/i',
-								'<a href="mailto:\0">\0</a>',
-								$p_string);
+		if ( access_has_project_level( config_get( 'mailto_markup_threshold' ) ) ) {
+			$p_string = preg_replace( '/\b' . email_regex_simple() . '\b/i',
+									'<a href="mailto:\0">\0</a>',
+									$p_string);
+		} else {
+			$t_random = rand ();
+			$p_string = preg_replace( '/\b' . email_regex_simple() . '\b/i',
+									"\\2@<span style=\"display: none;\">nospam$t_random.</span>\\3",
+									$p_string);
+		}
+
 
 		return $p_string;
 	}
vboctor

vboctor

2008-04-03 23:02

manager   ~0017547

I am wondering if we should be doing this obfuscation if the currently logged in user is anonymous, rather than using a separate configuration option to drive this.

Issue History

Date Modified Username Field Change
2008-04-03 12:13 octo New Issue
2008-04-03 12:13 octo File Added: mantis-1.1.1-mailto_markup_threshold.patch
2008-04-03 13:47 jreese Tag Attached: patch
2008-04-03 23:02 vboctor Note Added: 0017547
2008-04-03 23:02 vboctor Status new => acknowledged