Subj : Re: DDMsgReader: When replying to a message, @-codes are nowexpanded in To : Rob Swindell From : Nelgin Date : Fri Dec 09 2022 00:29:56 On Fri, 2 Dec 2022 10:46:45 -0800 "Rob Swindell" wrote: > https://gitlab.synchro.net/main/sbbs/-/merge_requests/226#note_2916 > > @-codes in messages posted by non-Sysops are normally *never* > expanded on Synchronet due to security issues (e.g. a non-sysop posts > @HANGUP@, or @DELAY:99999@ for example). Similarly, any message > received over a message network should never have any @-codes > expanded. > > This commit seems to introduce a security concern and raises general > concerns about how SlyEdit handles @-codes currently. The reason I requested this is because when I responded to an email on a BBS that was an autogenerated welcome mesasge, the @BBS@ and @ALIAS@ codes were expanded but when I replied, the quoted message had @BBS@ and @ALIAS@. I think the intent should be that the @codes are converted into the actual text at the time the message is sent. If the sysop wants to change their BBS name or the user changes their alias post-sending of the original, then tough. I agree that @-codes shouldn't be expanded when sent from a user but if coming from the system or sysop, then expand them and put the text in. Problem solved. -- End Of The Line BBS - Plano, TX telnet endofthelinebbs.com 23 --- þ Synchronet þ End Of The Line BBS - endofthelinebbs.com * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .