it’s a valid name but it shouldn’t add the hyperlink… wait a moment…
*** went to check the source of the emails that i received ***
the senders (i’m targeted by an asshole that did this on hundreds on sites) DIDN’T add any hyperlink, this is a huge security issue by gmail: they’re automatically adding hyperlinks! This is very stupid, especially with the new google domains .zip and .mov. Someone sends an email like “attached there’s bank-statement.zip” and then gets phished
You’ve landed on this page because you followed a link for a .zip file. This domain was registered to prevent its misuse for potentially harmful or malicious activities.
Well, what do ya know. There’s still some good guys out there.
I was just going to point out that it’s the responsibility of the email service to filter that as well.
It was a big bug ticket at my company, that our email service kept automatically turning plaintext to links like www.example.com for convenience. We couldn’t fix it on our side at all.
Edit: lol either Lemmy or my Lemmy app also turns plaintext links into real links! www.Rofl.lol
nevertrust user input. the web site should be looking for and filtering this shit out.
the other one (the submission page at the university, was right above this one in my ‘all’ feed) shows it better–with a full valid link in a text box. should be filtered and rejected by the form submission handler and never inserted into the database. in the case of no ‘http’ as part of it, links still follow a format, and those should be rejected too.
mod_security filters that shit out on my sites, the rules on what’s allowed in a form field hardly ever get ‘tested’ anymore since i turned that on.
We’re going in circles. How do you know a name that looks like a link is actually a link or a real name?
How do you solve that problem in a way that names that look like links are still accepted?
Plus the way email clients parse plain text is not the university’s website’s responsibility. Today, it’s links. Tomorrow, it’s “embedded AI prompts” or “mini-QR codes,” or “new format telephone numbers,” etc.
What would be a solution? How do you know Albert/III.jr is not a valid name?
it’s a valid name but it shouldn’t add the hyperlink… wait a moment…
*** went to check the source of the emails that i received ***
the senders (i’m targeted by an asshole that did this on hundreds on sites) DIDN’T add any hyperlink, this is a huge security issue by gmail: they’re automatically adding hyperlinks! This is very stupid, especially with the new google domains .zip and .mov. Someone sends an email like “attached there’s bank-statement.zip” and then gets phished
Well, what do ya know. There’s still some good guys out there.
I was just going to point out that it’s the responsibility of the email service to filter that as well.
It was a big bug ticket at my company, that our email service kept automatically turning plaintext to links like www.example.com for convenience. We couldn’t fix it on our side at all.
Edit: lol either Lemmy or my Lemmy app also turns plaintext links into real links! www.Rofl.lol
Email clients and web browsers making anything that vaguely looks like a link clickable is nothing new.
Falsehoods programmers believe about names is always a great read.
never trust user input. the web site should be looking for and filtering this shit out.
the other one (the submission page at the university, was right above this one in my ‘all’ feed) shows it better–with a full valid link in a text box. should be filtered and rejected by the form submission handler and never inserted into the database. in the case of no ‘http’ as part of it, links still follow a format, and those should be rejected too.
mod_security filters that shit out on my sites, the rules on what’s allowed in a form field hardly ever get ‘tested’ anymore since i turned that on.
Never trusting user input, sure. That, I know. And probably the university’s devs do as well.
However, it’s not the university’s website’s fault that the email client is converting the name to a link.
So what you’re saying is, email clients should not convert link-like text to actual clickable links. Correct?
the university’s form allowed the link or link-like string in the text field. that’s on them.
mail clients should at least be warning users about links it converts from text into clickable markup. yes.
We’re going in circles. How do you know a name that looks like a link is actually a link or a real name?
How do you solve that problem in a way that names that look like links are still accepted?
Plus the way email clients parse plain text is not the university’s website’s responsibility. Today, it’s links. Tomorrow, it’s “embedded AI prompts” or “mini-QR codes,” or “new format telephone numbers,” etc.