nevertrust user input. the web site should be looking for and filtering this shit out.
the other one (the submission page at the university, was right above this one in my ‘all’ feed) shows it better–with a full valid link in a text box. should be filtered and rejected by the form submission handler and never inserted into the database. in the case of no ‘http’ as part of it, links still follow a format, and those should be rejected too.
mod_security filters that shit out on my sites, the rules on what’s allowed in a form field hardly ever get ‘tested’ anymore since i turned that on.
never trust user input. the web site should be looking for and filtering this shit out.
the other one (the submission page at the university, was right above this one in my ‘all’ feed) shows it better–with a full valid link in a text box. should be filtered and rejected by the form submission handler and never inserted into the database. in the case of no ‘http’ as part of it, links still follow a format, and those should be rejected too.
mod_security filters that shit out on my sites, the rules on what’s allowed in a form field hardly ever get ‘tested’ anymore since i turned that on.
Never trusting user input, sure. That, I know. And probably the university’s devs do as well.
However, it’s not the university’s website’s fault that the email client is converting the name to a link.
So what you’re saying is, email clients should not convert link-like text to actual clickable links. Correct?
the university’s form allowed the link or link-like string in the text field. that’s on them.
mail clients should at least be warning users about links it converts from text into clickable markup. yes.