[Typo3-dev] security suggestion for tipafriend ext

[Thorsten Kahler]

Hi Chi,
hi list,

we just modified the class tx_tipafriend to be a bit more secure (and
powerful), too.

We're writing the current time, link and page title (using realurl, the link
is often to long to display) to the fe_user session within the method
tiplink. When sending the form, we reset the time and use the stored link in
the email. You can configure via TS how many recipients can be addressed at
once.

I wanted to suppose these changes to Kasper, but didn't have the time to
make two points clear for me. As the issue is on the list now, let's discuss
it here:

1) I think in an environment like T3 it won't matter, but I'm not sure:
could _updating_ the db with every page access be a performance problem? If
so, IMHO it's also possible to use the jumpUrl feature. (appending some
variable to the tiplink and redirect if variable is set)
2) What about links in the users comment? Should they be omitted? Any other
suggestions for checking the comment?

BTW: making it more powerful means using Masis great CS class to convert the
mail contents. Now its possible to use various charsets and transfer
encodings.

Thorsten