Subj : Re: DDMsgReader: When replying to a message, @-codes are nowexpanded To : Nelgin From : Digital Man Date : Fri Dec 09 2022 09:33 am Re: Re: DDMsgReader: When replying to a message, @-codes are nowexpanded i By: Nelgin to Rob Swindell on Fri Dec 09 2022 12:29 am > On Fri, 2 Dec 2022 10:46:45 -0800 > "Rob Swindell" wrote: > > > https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916 > > > @-codes in messages posted by non-Sysops are normally *never* > > expanded on Synchronet due to security issues (e.g. a non-sysop posts > > @HANGUP@, or @DELAY:99999@ for example). Similarly, any message > > received over a message network should never have any @-codes > > expanded. > > > This commit seems to introduce a security concern and raises general > > concerns about how SlyEdit handles @-codes currently. > > The reason I requested this is because when I responded to an email on > a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@ > codes were expanded but when I replied, the quoted message had @BBS@ > and @ALIAS@. > > I think the intent should be that the @codes are converted into the > actual text at the time the message is sent. If the sysop wants to > change their BBS name or the user changes their alias post-sending of > the original, then tough. > > I agree that @-codes shouldn't be expanded when sent from a user but if > coming from the system or sysop, then expand them and put the text in. > Problem solved. Yeah, that sounds preferably and a pretty easy change (at elast for those 2 specific @-codes) in exec/newuser.js. Create a new gitlab issue/request for this? -- digital man (rob) This Is Spinal Tap quote #36: Bobbi Flekman: Money talks, and bullshit walks. Norco, CA WX: 48.5øF, 75.0% humidity, 0 mph E wind, 0.00 inches rain/24hrs .