Thread

Running 1.6.9 20100430 standard lamp setup.

In comment preferences for a weblog I have:

Comment Text Formatting : XHTML
Comment HTML Formatting : Convert…char entities
Automatic Email addresses : No (not that this setting should matter)

However, if someone puts the following comment:

In this case, we are looking at a situation where you, the buyer, stops paying the premiums. This is a contractual breach. Instead of creating a situation where there are thousands of lawsuits in which a life insurance company is suing policy holders,<a href="http://www.badpspamdomain.com/">Insurance reviews</a>

Then that link is presented and rendered by the browser as is - no char ents.

I have enough on my plate dealing with bio field link stuffers so am I missing something obvious? Not using anything fancy on the template side, just a simple

{comment}

Can you show us a link to one such entry? Are you running any extensions? You might also consider upgrading to the latest build (although that’s probably not at the heart of this issue).

I can’t post a live link right now, but I have verified this behaviour not happening on a clean install.

No 3rd party extensions, no modules other than the forum module is installed, but it still happens if it’s removed.

It’s an odd one.

What happens when you use some other Comment Text and Comment HTML Formatting options?

Okay, I have managed to get it working in my testing, although unsure of what I did to make it happen (nothing major, just going away and coming back a hour or 2 later), going to push it back live and see if any real world spammers generate different results.

Thanks

We can keep this thread open a bit longer.. let us know when you’re ready to close it.

Thanks Sue.

Think I have found the issue though.

Now, html is converted to character entities.

However, if you post a URL in this form (logged in or not):

[url="http://www.spammersite.com"]Spam Anchor Text[/url]

the following happens:

1. The listed email contacts for comment notification get an email with the link code shown as:

<a href="http://www.spammersite.com">Spam Anchor Text</a>

For this reason I assumed the spammer had entered the link like that when it appears they are using BB code and EE is post processing for the notification emails.

2. The link is converted and displayed as a clickable link on the entry page by EE.

I found this - http://ellislab.com/expressionengine/user-guide/general/bbcode.html

So it seems that there is some intended behaviour, but I am hoping there is an option to turn the BB support off, otherwise it’s a Welcome doormat for would be EE spammers and the ability in the CP to prevent URLs being automatically being turned into links is a bit useless if it can be bypassed so easily 😊

Okay, so I have done some more digging:

The following spammer site was placed into the blacklist module - easigo.co.uk

Typing:

easigo.co.uk

Yields no error.

<a href="http://www.easigo.co.uk">http://www.easigo.co.uk</a>

Yields an error.

[url="http://www.easigo.co.uk"]Easigo[/url]

Yields NO error and of course creates a link too.

So I guess it’s subjective whether the non http://www. version on it’s own should yield an error when the version with it does, but certainly going down the BB route bypasses it altogether.

Hi Daniel,

Let me investigate this a bit further. I’ll update this thread as soon as I can.

Cheers

Greg

Hi Daniel,

I can’t replicate the issue with Blacklist - if I add a root domain then all subdomains of that domain are blocked as well. I am discussing the BB code question with the rest of the team. Thank you for your patience.

Cheers

Greg

Hey Greg,

Thanks for the update.

I am still seeing the root domain issue. To clarify, I am simply pasting the URL as is in the comment field, exactly the same as the entry in the blacklist.

Can you confirm your test used a co.uk domain name, rather than a single extension like .com or .net?

On the BB code issues (ability to turn off and blacklist not affecting BB entries) - thanks, waiting patiently 😊

danieljohnbarnes,

We are still awaiting to hear back on the BBcode question but regarding your Blacklist can you tell us if you are writing it to a htaccess file ?

regarding your Blacklist can you tell us if you are writing it to a htaccess file ?

No I am not.

Thanks.

Is there a reason why you aren’t writing it to an .htaccess file?

As I understand it’s an option, it’s not mandatory, and not part of the setup so it’s never been enabled.

Simply preventing spam input is good enough for me, so long as it works, and given the size of the URL blacklists I’d rather not have all those in my htaccess file.