Don't use "www.YourDomain.com" in your addon options as an example

cclaerhout

cclaerhout

Well-known member
I thought a moment my dev server has been hacked after seeing some unsolicited redirection towards the host 1and1 with a affiliate id number:
Code: 
http://www.1and1.com/?affiliate_id=322774

But the problem was coming from an addon that had used in its options this kind of link as an example:
Code: 
http://www.YourDomain.com/default/xenforo/gradients/

The domain is valid and sends requests to 1and1. So the solution is simple: use another address as example.


1and1.webp
 
Dinh Thanh said:
Don't understand clearly how can they hack your site?
Click to expand...
No no, I thought it was hacked but it wasn't. It was only a redirection from an admin option field that had used the given address as an example. I only tested the addon for some reasons and didn't modify the field. So it gives the above error & redirection in the console (see the screenshot).
 
What addon did that?

Oh I see now. Yeah several of his addons does that. Kinda annoying.
 
8thos said:
What addon did that?

Oh I see now. Yeah several of his addons do that.
Click to expand...
It's not the fault of the addon but only its example link inside its options, an option which I should have myself configured before. The purpose of this message is just an advice for addon developers. Nothing more.
 
cclaerhout said:
It's not the fault of the addon but only its example link inside its options, an option which I should have myself configured before. The purpose of this message is just an advice for addon developers. Nothing more.
Click to expand...
That's nothing. I've installed his footer addon but he has nearly 20 links back to his own site pre-installed in the options. Was all that really necessary? Even Jaxel does that to some of his xenporta blocks.
 
I'm really amazed. I do not understand this. But if it bothers you, I change by example links. It happens when I have configured the add-on on my server and exported to package and put it on XenForo.

I will study this because I do not work or have worked with 1 & 1

Salud2
 
Chris Deeming said:
Here's an idea.

You could, in theory, insert the correct URL in the database during install.

Here's an example that could help: http://xenforo.com/community/threads/turn-off-forums-automatically.41066/#post-444288
Click to expand...
Good idea.
Chris Deeming said:
But, of course, is a full URL necessary at all? Surely a relative URL is much more appropriate? e.g. styles/default/xenforo/gradients

Either way, nice find Cédric
Click to expand...
./styles/default/xenforo/gradients or styles/default/xenforo/gradients ?

Salud2
 
8thos said:
That's nothing. I've installed his footer addon but he has nearly 20 links back to his own site pre-installed in the options. Was all that really necessary? Even Jaxel does that to some of his xenporta blocks.
Click to expand...
I will try to correct it. Thanks for noticing

Salud2
 
If you go to web page "www.YourDomain.com" from spanish IP (like mine), get this image at top of page:
2.webp

Translation: Sorry. If you are resident in Spain can't make purchases from this page.

Curious, no?

Salud2
 
ManOnDaMoon said:
Thank you for the tip, Cédric.

Developpers who want to set domain names as examples should use the reserved http://example.com, http://example.net & http://example.org domains: http://en.wikipedia.org/wiki/Example.com
Click to expand...
Yeah Example.com is highly recommended over making up your own example as it is reserved (y)


But... I still think wherever possible you should translate example URLs into the real board's URL.

In my Friend Inviter add-on, for example, where I had instructions I could have said "In the box type http://yourUrl.com/google/callback as the redirect URL" Instead I used a templatePostRender on the template to replace the example URL with the site's REAL URL generated with the XenForo Link class. The benefit, of course, amongst other things, is it would always be the correct URL taking into consideration things like friendly URLs etc.

It's also much easier for people to understand if they see their actual URL there.
 
You must log in or register to reply here.
Back
Top Bottom