PHPBB3-14527 Dataloss caused by link shortening (maybe)

[Joe User]

Sorry, wasn't meant to be abrasive tone, just a proposed fix.

[Nicofuma]

What "buggy hardcoding" are you talking about?

[Joe User]

The hardcoded rewrite of

Code: Select all

[nonalpha]www.something

to

Code: Select all

[nonalpha]http://www.something

like [nonalpha]www.something or (nonalpha)www.something or /nonalpha/www.something or .nonalpha.www.something

Hopefully it is more clear now what i mean. Thanks.

[JoshyPHP]

Technically it's not really rewritten as the text stays the same, it's just linked via the HTTP scheme. The text stays the same when you edit it, it stays the same when you read it. Personally I don't think that linking www. URLs is particularly useful but it's been a feature for many years and I don't think false positives impact usability in any meaningful way.

About requiring the www. URL to be preceded with whitespace, I think it creates more problems than it solves. For instance, it would prevent (www.example.org) and [b]www.example.org[/b] from being linked.

If you don't like www. URLs, you can write an extension that disables it. Use the core.text_formatter_s9e_configure_after and force the Autolink plugin to be reloaded without support for it. If you feel fancy you can implement a similar feature using the Preg plugin and your own regexp.

Code: Select all

$event['configurator']->plugins->load('Autolink', ['matchWww' => false]);
$event['configurator']->Preg->match('/(?<!\\S)(?P<url>www\\.\\S+)/', 'URL');

[Joe User]

it's been a feature for many years and I don't think false positives impact usability in any meaningful way.

OK, if unnecessary queries of DNS records that modern Clients (Browsers and Searchengines) do for prefetching and the like are no impact to usability (they cost time and bandwith, think of mobile devices) and also the privacy concerns (those DNS queries can be used for tracking and more) especially for users in and from some states like china are no problem, then let this "feature" in.

So for the privacy concerns alone this "feature" should be removed as soon as possible, at least make it configureable with default to off, please, thanks.

This is a real (technical and ethical) problem and should be fixed.


BTW: By using phpBB in the Tor/Darkweb this becomes also a security problem...

[Marc]

You don't seem to understand what DNS prefetch actually does. While you're claiming it slows things down and costs bandwith, it does actually reduce latency and barely uses any bandwidth (typical size of request < 512 Bytes).

There are also plenty of tools that allow disabling DNS prefetching. Increasing load times, latency, and therefore imposing bad usability onto users based on overambitious privacy concerns is certainly not the way to go. If you require this extreme privacy then it should be you who imposes that. Again, there are plenty of tools that make this incredibly easy for you and there is no need to impose this for everyone and making everyone suffer for the sake of very very few people.
This is therefore neither a technical nor an ethical problem. If you're using phpBB in the Darkweb you should take extra measures. Then again, this is your responsibility and a mere edge case that shouldn't mean everyone else has to suffer based on your choices.