View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0009031mantisbtfeaturepublic2008-04-03 12:132008-04-03 23:02
Reporterocto Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version1.1.1 
Summary0009031: [PATCH] Make mailto:-HREFs in bug notes configurable
Description

I noticed that email addresses are turned into mailto: links, regardless of the `show_user_email_threshold' setting, even for the anonymous user (viewer access rights).

The attached patch introduces a new configuration option, `mailto_markup_threshold', which can be used to set an access right. If the user has at least this level, email addresses are converted to links as it was the case thus far. If the user does not have the required right, the address is obfuscated by inserting
>span style="display: none;">nospam$t_random.</span>
after the at-sign. $t_random holds a random number. CSS2 compliant browsers will display the email address normally, but address harvesting bots should have a hard time recognizing that the middle part is garbage - even if they strip HTML tags..

Tagspatch
Attached Files
mantis-1.1.1-mailto_markup_threshold.patch (1,435 bytes)    
diff -pur mantis-1.1.1.orig/config_defaults_inc.php mantis-1.1.1.octo/config_defaults_inc.php
--- mantis-1.1.1.orig/config_defaults_inc.php	2008-01-16 23:16:24.000000000 +0100
+++ mantis-1.1.1.octo/config_defaults_inc.php	2008-03-30 17:59:44.000000000 +0200
@@ -306,6 +306,7 @@
 
 	# This specifies the access level that is needed to get the mailto: links.
 	$g_show_user_email_threshold = NOBODY;
+	$g_mailto_markup_threshold = NOBODY;
 
 	# If use_x_priority is set to ON, what should the value be?
 	# Urgent = 1, Not Urgent = 5, Disable = 0
diff -pur mantis-1.1.1.orig/core/string_api.php mantis-1.1.1.octo/core/string_api.php
--- mantis-1.1.1.orig/core/string_api.php	2007-12-10 01:22:38.000000000 +0100
+++ mantis-1.1.1.octo/core/string_api.php	2008-03-30 18:15:04.000000000 +0200
@@ -399,9 +399,17 @@
 			ini_set( 'magic_quotes_sybase', true );
 		}
 
-		$p_string = preg_replace( '/\b' . email_regex_simple() . '\b/i',
-								'<a href="mailto:\0">\0</a>',
-								$p_string);
+		if ( access_has_project_level( config_get( 'mailto_markup_threshold' ) ) ) {
+			$p_string = preg_replace( '/\b' . email_regex_simple() . '\b/i',
+									'<a href="mailto:\0">\0</a>',
+									$p_string);
+		} else {
+			$t_random = rand ();
+			$p_string = preg_replace( '/\b' . email_regex_simple() . '\b/i',
+									"\\2@<span style=\"display: none;\">nospam$t_random.</span>\\3",
+									$p_string);
+		}
+
 
 		return $p_string;
 	}
mantis-1.1.1-mailto_markup_threshold.patch (1,435 bytes)   

Activities

vboctor

vboctor

2008-04-03 23:02

manager   ~0017547

I am wondering if we should be doing this obfuscation if the currently logged in user is anonymous, rather than using a separate configuration option to drive this.