Ilka Schulz wrote:
Hi,
I wrote a little PHP-based contact page and put the link to the /ContactInfo/ of my relay's /torrc/. I added some HTML tags (/<a href=...> ... </a>/) to let Tor Metrics show the link as such; but, of course, the string is sanitized properly, so the /Contact/ field on Tor Metrics shows the literal HTML tags.
Is there any chance to show the hyperlink on Tor Metrics, so that visitors can directly click on it? The same would be interesting for clear text email addresses.
Regards, Ilka
NACK of course HTML tags / javascript is sanitized otherwise anyone can inject HTML or javascript code in our metrics webpage which is super bad. One attacker can infect all visitors of our metrics webpage, or do various other stuff we don't want.
There is no way to implement such a feature unless someone manually reviews each relay's ContactInfo HTML/javascript tags in that string to make sure there is nothing bad in it, and then keep an eye on it on every descriptor refresh. This is if course out of the question, nobody has the time to do it, it opens the door for mistakes and security risks and it gives us absolutely no gains.
Of course there is a solution where metrics page will detect link format like : http:// , https://, domain.tld, subdomain.domain.tld and show it as hyperlink on the metrics webpage, but I recommend against this as well as this way our metrics webpage can become the referrer for some fishy websites attackers choose to put in relay's contact info.