coding PM link shortcut in post to include subject line

Started by auroraChloe, April 28, 2014, 10:41:04 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

auroraChloe

the goal:  i want to embed a link to send me a pm that includes a subject line. 

i am certain i saw it someplace around there over the years.  or i'm just getting a bit dotty. 

a/a 8/21/17

Beguile's Mistress

Use the following:

https://elliquiy.com/forums/index.php?action=pm;sa=send;u=xxxx

Replace the xxxx with your member number found when you go to your profile, click Modify and Account Settings.  The number is at the end of the page address at the top of your screen.

That's the way I found mine.


auroraChloe

Quote from: Beguile's Mistress on April 28, 2014, 11:59:24 PM
Use the following:

https://elliquiy.com/forums/index.php?action=pm;sa=send;u=xxxx

Replace the xxxx with your member number found when you go to your profile, click Modify and Account Settings.  The number is at the end of the page address at the top of your screen.

That's the way I found mine.


thanks, hon, but i got that part already.  i just thought there was additional coding to add to it that would insert a subject line automatically into the pm

a/a 8/21/17

inghippo

I've checked the documentation and I've not found this feature.

The reason because there is not such a feature it's because it's not secure to let the users to write some free text in the url.

example:

[url="https://elliquiy.com/forums/index.php?action=pm;sa=send;u=xxxx;subject="my"]https://elliquiy.com/forums/index.php?action=pm;sa=send;u=xxxx;subject="my[/url] custom subject";

someone could try to put a sql injection or some javascript to steal the user's data or other bad things.

I think that what you remember was the "emailto" prefix for standard link in html that let you define a parameter for subject and other thing.


<a href="mailto:someone@email.com?subject=My custom email subject">Email me!</a>


But this code could only send an user to the email client installed on the pc with the email and subject field filled with custom data.

This solution don't let you to add a custom subject in someone else PM form and this feature is not available for security reason.

Vekseid

I think you mean XSS attack, not SQL injection. There's nothing you could stick in a url subject that you couldn't also stick in the field directly.

This does not strike me as being terribly difficult to mod for someone who wanted to take it up.

inghippo

I said SQL injection considering the general issue about letting a user to play with URL parameters.

I've not visibility about the server side checks on the URL so it's reasonable to think that a similar implemention need some test in various context to avoid the possibility that a custom parameter could be sent in other pages to do something else or to get an error.

About my search I found a a discussion about setting a custom default subject for pm in theme

http://www.simplemachines.org/community/index.php?topic=481416.0

Would be probably easy to add a GET instead of the default var, my only thought was about the default parameters used in URL to avoid conflicts.




Vekseid

Quote from: inghippo on April 29, 2014, 08:17:03 AM
I said SQL injection considering the general issue about letting a user to play with URL parameters.

I've not visibility about the server side checks on the URL so it's reasonable to think that a similar implemention need some test in various context to avoid the possibility that a custom parameter could be sent in other pages to do something else or to get an error.

I'm not sure why you would even need to look at SMF's code to realize that there's no SQL someone could run with an implemented custom subject line that they could not do already, but even assuming you wanted to make sure, you might find yourself taken more seriously if you actually bothered to look at the code before making silly claims about why something is or isn't done.

inghippo

QuoteI'm not sure why you would even need to look at SMF's code to realize that there's no SQL someone could run with an implemented custom subject line that they could not do already, but even assuming you wanted to make sure, you might find yourself taken more seriously if you actually bothered to look at the code before making silly claims about why something is or isn't done.

Was just a general consideration to explain that there is not such a feature and there was nothing similar even in the past.

Quotei am certain i saw it someplace around there over the years.  or I'm just getting a bit dotty. 

And just to reply to you:

QuoteI'm not sure why you would even need to look at SMF's code

Because the only code I could look it's SMF code and E client side code.

Quoteto realize that there's no SQL someone could run with an implemented custom subject line that they could not do already

I've already explained that my concern was about the URL parameter and not about the input himself.
If there's another page in the whole site accepting arbitrary parameters or a default parameter with the same name you could have an issue.
Even if it's just a server error it's something bad.

Quoteyou might find yourself taken more seriously if you actually bothered to look at the code

So, I'm so silly to look at SMF code but I'm approximate for not looking at the code?
What code? I can just check the client side code or something on SWF website.
I cannot enter in E server and look for a file... You know that and I can't understand why you wrote something like that.

I've checked the code and the input value of the subject is set in the HTML code, looking at the previous links show that "No subject" it's a variable that could be set in the theme.

Quotemaking silly claims about why something is or isn't done

Sorry, I've not seen that this was the "Official development Announcements" thread, I though that this was were people could ask and answer something about technical issues.
I gave a reasonable explanation to someone about something that he though could be done but that at the moment couldn't be done.

If you don't like that people try to explain to another person something in this thread you could simply add a rules to made clear that only staff is allowed to reply here.

I really don't get why you've reacted this way instead of writing a pm or anything else.

I spent my free time more then once to try to help anyone with some technical problem, if you don't like what I write here you've just to say that.








auroraChloe

Quote from: inghippo on April 29, 2014, 05:49:07 AM
I've checked the documentation and I've not found this feature.

thanks for  your efforts anyway, inghippo.  i appreciate you taking the time.



Quote from: Vekseid on April 29, 2014, 07:45:34 AM
This does not strike me as being terribly difficult to mod for someone who wanted to take it up.

hey Big Boss.  i'm going to take this to mean it's not possible here... yet. 

i must have seen it some place else.  quite possibly in a 'mailto:' scenario.  was just wishing...




and thanks, too, BeMi!   :D

a/a 8/21/17

Vekseid

Why are you even arguing with me?

Quote from: inghippo on April 29, 2014, 10:02:30 AM
I gave a reasonable explanation to someone about something that he though could be done but that at the moment couldn't be done.

No, you gave a barely-educated guess. Then when I pointed out your error, you started digging around in your hindquarters for a response.

Quote
If you don't like that people try to explain to another person something in this thread you could simply add a rules to made clear that only staff is allowed to reply here.

I really don't get why you've reacted this way instead of writing a pm or anything else.

I spent my free time more then once to try to help anyone with some technical problem, if you don't like what I write here you've just to say that.

Everyone is free to respond and help each other. It's a good feature about this community.

Not pulling things out of your ass is covered quite clearly under rule #2, and since 99.98% of the site abides by it, this is not an issue that needs to be spelled out. It is a common courtesy of general human interaction: speak about what you know, and if you don't know, ask questions. If you think you know and end up being mistaken, take the moment to learn and move on. This should not be difficult.

If you do find it difficult, then go ahead and don't post. If you can resolve this issue, feel free to continue posting here.

In any case, I responded publicly because this would not be difficult to mod, and would be happy to incorporate someone else's code if they want to take it up.

Quote from: auroraChloe on April 29, 2014, 10:39:24 AM
hey Big Boss.  i'm going to take this to mean it's not possible here... yet. 

i must have seen it some place else.  quite possibly in a 'mailto:' scenario.  was just wishing...

Probably, I don't know of another forum package that does it off the top of my head. As inghippo linked to, it only involves modifying a half-dozen lines of code.

I need to fix one of my other mods as is, so I'll try to remember this when I get to them, unless someone else wants to take a ~half hour and cobble it together.

Beguile's Mistress