View Issue Details

IDProjectCategoryView StatusLast Update
0018880phpList 3 applicationEmailpublic19-06-18 21:27
ReportersamtukeAssigned To 
Status resolvedResolutionfixed 
Target Version3.3.4Fixed in Version3.3.4 
Summary0018880: Include a space after URL placeholders to avoid invalid user id / malformed URLs
DescriptionCurrently it is possible to send malformed URLs in email notifications, for example for confirmation emails sent to subscribers, if the email text does not include a space after the placeholder used for printing the URL.

For example, on the settings page, setting the value of this field: "Message subscribers receive when they sign up" to include "Welcome, click here [CONFIRMATIONURL]!" (note the trailing exclamation mark) will result in an unrecognised user ID when the link is clicked (and by extension, it will be impossible for subscribers to join the list).

To remedy this issue, I propose adding a mandatory space after placeholder URLs so that text set by administrators cannot prevent the links from working.
TagsNo tags attached.



28-09-17 15:57

updater   ~0059445

Presumably this applies only to text format emails, not html.
Is the problem that the ! is treated as part of the confirmation url? If so, then that might depend on the email client being used. In Thunderbird it is not treated as part of the url - see the screenshot. If instead I encoded the ! as %21 then that is treated as part of the url - see the second screenshot.


28-09-17 15:58



28-09-17 17:48

manager   ~0059446

The issue was spotted in a confirmation email, in HTML, viewed in Thunderbird. The message source was:

[plain text]
Dann klick doch hier:=0Ahttp://S=

Dann klick doch hier: <a href=3D"http://Sisyphos.hosted.phpli=!">http://S=

Rendering in Thunderbird is attached.
Selection_298.png (52,863 bytes)   
Selection_298.png (52,863 bytes)   


28-09-17 19:26

updater   ~0059447

Ah I see. It is a problem with converting the confirmation request (entered on the subscribe page) from plain text to html.

See function constructSystemMail() in file lib.php. This regex to find urls for converting to html a elements is too loose. It is taking everything up to the next space or '<' character, so includes the '!' in the problem email.

        $htmlmessage = preg_replace('~https?://[^\s<]+~i', '$0', $htmlmessage);


29-09-17 05:56

updater   ~0059461

Search results provide several regular expressions to convert urls to links, most of which look overly complicated. This one has a reasonably simple function that could be modified

It does handle the original problem, excluding the trailing ! from the url.


29-09-17 06:36

manager   ~0059462

That looks like a good solution. What about the plain text links - did your mail client not include the exclamation mark in the clickable link as well?


11-06-18 20:16

administrator   ~0060712

would be good to run some tests on this.


18-06-18 08:24

reporter   ~0060739

Yes, there is a space added when [PLACEHOLDER] is followed by !
%20 will still become part of the URL.


19-06-18 19:56

administrator   ~0060747

Sorry, is that a "yes" it's working or "yes" it's not working?


19-06-18 21:23

reporter   ~0060753

sorry for the confusion, that is a "Yes it is working" in the case of !

but it is not working in the case of %20


19-06-18 21:27

administrator   ~0060756

%20 is an encoded space. That should not cause a problem