#11818 closed defect (wontfix)
sfp_email and sfph_email fields in URL of wiki history view
Reported by: | Ryan J Ollos | Owned by: | Dirk Stöcker |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | plugin/spamfilter | Version: | |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
The wiki history diff URL has a pair of empty fields sfp_email
and sfph_email
. Example: http://trac.edgewall.org/wiki/TracDev/ReleaseChecklist?sfp_email=&sfph_mail=&action=diff&version=48&old_version=47&sfp_email=&sfph_mail=
I've noticed this issue when pasting these long URLs into emails, and always end up deleting the two &sfp_email=&sfph_mail=
strings from the URL. The URL is greatly shorted if the fields are removed:
http://trac.edgewall.org/wiki/TracDev/ReleaseChecklist?action=diff&version=48&version=47
The fields are easily spotted in the rendered page source, however I don't see them in the template source code: tags/trac-1.0.2/trac/templates/history_view.html@:29,34#L24
<form id="history" class="printableform" method="get"> <div style="display:none;"><input type="text" name="sfp_email" value=""><input type="hidden" name="sfph_mail" value=""></div><div class="buttons"> <input type="hidden" name="action" value="diff"> <input type="submit" value="View changes"> </div><table id="fieldhist" class="listing" summary="Change history"> ... </table><div style="display:none;"><input type="text" name="sfp_email" value=""><input type="hidden" name="sfph_mail" value=""></div><div class="buttons"> <input type="submit" value="View changes"> </div> </form>
Any hints on how these fields are added? Am I overlooking some JavaScript code?
Attachments (0)
Change History (8)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
I think the trap field is needed for only forms with POST method, not for GET method.
comment:3 by , 10 years ago
Component: | general → plugin/spamfilter |
---|---|
Owner: | set to |
If we're consistent in allowing only POST for having side-effects, yes.
comment:4 by , 10 years ago
TrapField adds these fields before <div class="buttons"
. It does not really understand the structure of the pages. Detecting whether this is POST or GET is much more complicated and also will result in errors which then again need to be fixed to get it working again. Currently on all three instances I'm watching we have more than 98% spam submissions. I think additional empty arguments to a get request are a small nuisance compared to the effectivity of these fields. Especially when compared to other web pages where they are so many crap in URL's as well.
comment:7 by , 10 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:8 by , 10 years ago
Milestone: | plugin - spam-filter |
---|
Milestone unset per TracTicketTriage#Milestone.
See SpamFilter#TrapField.