• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Don't use "www.YourDomain.com" in your addon options as an example

cclaerhout

Well-known member
#1
I thought a moment my dev server has been hacked after seeing some unsolicited redirection towards the host 1and1 with a affiliate id number:
Code:
http://www.1and1.com/?affiliate_id=322774
But the problem was coming from an addon that had used in its options this kind of link as an example:
Code:
http://www.YourDomain.com/default/xenforo/gradients/
The domain is valid and sends requests to 1and1. So the solution is simple: use another address as example.


1and1.jpg
 

cclaerhout

Well-known member
#3
Don't understand clearly how can they hack your site?
No no, I thought it was hacked but it wasn't. It was only a redirection from an admin option field that had used the given address as an example. I only tested the addon for some reasons and didn't modify the field. So it gives the above error & redirection in the console (see the screenshot).
 

cclaerhout

Well-known member
#5
What addon did that?

Oh I see now. Yeah several of his addons do that.
It's not the fault of the addon but only its example link inside its options, an option which I should have myself configured before. The purpose of this message is just an advice for addon developers. Nothing more.
 

DRE

Well-known member
#6
It's not the fault of the addon but only its example link inside its options, an option which I should have myself configured before. The purpose of this message is just an advice for addon developers. Nothing more.
That's nothing. I've installed his footer addon but he has nearly 20 links back to his own site pre-installed in the options. Was all that really necessary? Even Jaxel does that to some of his xenporta blocks.
 

lms

Well-known member
#7
I'm really amazed. I do not understand this. But if it bothers you, I change by example links. It happens when I have configured the add-on on my server and exported to package and put it on XenForo.

I will study this because I do not work or have worked with 1 & 1

Salud2
 

lms

Well-known member
#10
Here's an idea.

You could, in theory, insert the correct URL in the database during install.

Here's an example that could help: http://xenforo.com/community/threads/turn-off-forums-automatically.41066/#post-444288
Good idea.
But, of course, is a full URL necessary at all? Surely a relative URL is much more appropriate? e.g. styles/default/xenforo/gradients

Either way, nice find Cédric
./styles/default/xenforo/gradients or styles/default/xenforo/gradients ?

Salud2
 

lms

Well-known member
#11
That's nothing. I've installed his footer addon but he has nearly 20 links back to his own site pre-installed in the options. Was all that really necessary? Even Jaxel does that to some of his xenporta blocks.
I will try to correct it. Thanks for noticing

Salud2
 

lms

Well-known member
#12
If you go to web page "www.YourDomain.com" from spanish IP (like mine), get this image at top of page:
2.png

Translation: Sorry. If you are resident in Spain can't make purchases from this page.

Curious, no?

Salud2
 

Chris D

XenForo developer
Staff member
#14
Thank you for the tip, Cédric.

Developpers who want to set domain names as examples should use the reserved http://example.com, http://example.net & http://example.org domains: http://en.wikipedia.org/wiki/Example.com
Yeah Example.com is highly recommended over making up your own example as it is reserved (y)


But... I still think wherever possible you should translate example URLs into the real board's URL.

In my Friend Inviter add-on, for example, where I had instructions I could have said "In the box type http://yourUrl.com/google/callback as the redirect URL" Instead I used a templatePostRender on the template to replace the example URL with the site's REAL URL generated with the XenForo Link class. The benefit, of course, amongst other things, is it would always be the correct URL taking into consideration things like friendly URLs etc.

It's also much easier for people to understand if they see their actual URL there.