[horde] imp's new trailer hook

[Gary]

Quoting Michael M Slusarz <slusarz at horde.org>:

> Quoting Gary <witscher at gmail.com>:
>
>> I've been playing with the new parameters for the trailer hook in  
>> imp. I get a value for the $to variable but not for the $identity  
>> variable. I'm not much good at php, can anyone help me figure this  
>> out?
>
> $identity is an object, not a string:
>
>>     * @param IMP_Prefs_Identity $identity  The identity object of  
>> the sender.
>
> [snip]
>
> So this isn't going to output anything:
>
>>    "This message was sent by: " . $identity . "\n" .
>
> Since $identity doesn't have an automatic string representation.
>
> Object documentation can be found here:  
> http://dev.horde.org/api/master/app/imp/classes/Imp_Prefs_Identity.html
>
> Just a note: your code opens up a fairly substantial security hole  
> if adding a trailer to an HTML message, since your current code does  
> not escape any harmful content that you may be inserting into the  
> message.  So you need to look out for that.
>
> michael
>

Thank you for the documentation link. Not being a php person it took  
me a while to figure out how to use it, but I got there in the end.  
This works really well and is way more flexible than I have use for.  
You have taken it to a whole new level.

The code I quoted was just experimental code, so I could try and see  
what values I would be dealing with. The code I'm using reads in  
fortune files from disk, world readable, owner writable. Hopefully  
that won't create the security hole that you speak of. Perhaps you  
have at hand a link to documentation regarding these types of security  
holes? If so, I'd like to take a look at it.

Thank you for a very useful update,
Gary
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: PGP Digital Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130908/c451cc1b/attachment.bin>