mods.curse.com might have leaked data

Some time ago I played World of Warcraft. Hell, was that addictive. I’m kind of happy that I don’t do it anymore. To be effective in raids I needed addons, which I got from mods.curse.com. And as I am wary to give out my main email address, I once again created one exclusively for this purpose.

For a few months now I find spam being sent to that particular address. It’s not an address you would easily guess such as info@ or contact@ or so, it was very particularly tailored so that it would relate both to curse and to my username on WoW. Mails to it are received in my catch-all inbox, where most of the spam lands.

This particular wave of spam is from „Sale4MichaelKors“, „Deals 4 Jordan“, „Pandora Jewelry“ and „UGG Boots“. Stuff which I don’t receive for any other email address.

Now, I have contacted the support, but the last reply was „We can confirm that we are not aware of any mishandling of your user data, nor any incidents that would have exposed it. If you would like more information on Twitch’s Privacy Policy please feel free to read up here.“.

The fact remains that this is the one and only place where I used that email address. Either they have sold my information (I do not believe that) or the data has been stolen. I don’t claim it to be a recent leak. I have a Yahoo address, which was definitely compromised, and I could clearly see that the information obtained had not been abused for quite some time after the data leaked. I assume the same is true in this case. So the leak is not necessarily new.

However, I did not get any specifics what the ’security team‘ had looked into. Maybe they only looked at potential incidents this year, I don’t know.

What I know is: this email address was exclusively used with curse.com, and now I receive spam on it. I draw my conclusions from those facts.

 

Salesforce: $Component-merge fields behaving unexpectedly

So I was writing a slightly complicated form validation in Javascript. Therefore I needed access to the values of all fields of an <apex:form>. But worse, some fields were shown conditionally.

So I assumed that the validation would merely need to check whether the fields existed, as a conditional rendering does not add the fields to the DOM (in contrast to hiding them with display: none). So my Visualforce page looked something like this:

<apex:page controller="ConditionalRerenderController">
    <apex:form>
        Click me
        <apex:inputCheckbox value="{!condition}" id="firstId">
            <apex:actionSupport event="onclick" rerender="conditionalBlock"/>
        </apex:inputCheckbox><br/>
        <apex:pageBlock id="conditionalBlock">
            <apex:pageBlockSection rendered="{!condition}" columns="1">
                <apex:inputText id="secondId" value="{!stringValue}" /><br/>
            </apex:pageBlockSection>
        </apex:pageBlock>
    </apex:form>
</apex:page>

The JS to get the value of the text input field would be rather simple

var inputfield = document.getElementById('secondId');
if(inputField != null)
    alert(inputfield.value);

However, the attribute id in Visualforce does not translate directly to the HTML attribute of the same name. To make sure a produced id is in fact unique, Salesforce adds information on the context, practically making it unusable to hard-code the id in javascript.

But there is the global merge field $Component which allows to resolve the produced HTML id. So I expected this to work:

var inputfield = document.getElementById('{!$Component.secondId}');
if(inputfield != null)
    alert(inputfield.value);

But inputfield would always be null, no matter whether the checkbox had been clicked before, rendering the input field.

This is quite a problem, as it turns out this merge field is not re-evaluated outside of the block that gets re-rendered. Instead, the expression always evaluates to an empty string outside of the conditionally rendered block. So you would need to put all Javascript that needs an id of an element within the conditionally rendered block.

Or – maybe more workable – you could use class names as pseudo-IDs. If you would add

styleClass="pseudoId"

to the input-field you can access it with

var elements = document.getElementsByClassName('pseudoId');
if(elements != null && elements.length > 0) {
    var inputField = elements[0];
    alert(inputField.value);
}

Have a try, and notice how the id of the text input only appears in the conditionally rendered block.
The page:

<apex:page controller="ConditionalRerenderController">
    <apex:form>
        Click me
        <apex:inputCheckbox value="{!condition}" id="firstId">
            <apex:actionSupport event="onclick" rerender="conditionalBlock"/>
        </apex:inputCheckbox><br/>
        firstId: <apex:outputText value="{!$Component.firstId}" /><br/>
        secondId: <apex:outputText value="{!$Component.secondId}" /><br/>

        <apex:pageBlock id="conditionalBlock">
            <apex:pageBlockSection rendered="{!condition}" columns="1">
                <apex:inputText id="secondId" value="{!stringValue}" /><br/>
                secondId: <apex:outputText value="{!$Component.secondId}" /><br/>
            </apex:pageBlockSection>
        </apex:pageBlock>
    </apex:form>
</apex:page>

The controller:

public class ConditionalRerenderController {
 public boolean condition {get;set;}
 public String stringValue {get;set;}
 
 public ConditionalRerenderController() {
 this.condition = false;
 this.stringValue = 'empty';
 }
}

Fairphone information – English version

Dear English-speaking friends of the Fairphone,

Please excuse me for writing my stuff in German first, but it is my native-tongue, and therefore it comes to me more naturally than English. As I am aware that the majority of you does not speak German, I am working on an English summary of all that I find about the Fairphone.

If you would like to comment, please do so in this article.

Spam Kommentare / spam comments

Liebe Spammer,

alle Kommentare hier werden moderiert. Macht Euch einfach nicht die Arbeit, der Kommentar wird nicht erscheinen.

Dear Spammers,

all comments are screened. Save your time, spam comments will not be published here.

Und für alle, die sich fragen, warum ich sowas überhaupt schreibe – schließlich liest der gemeine Spammer das doch nicht – ich wollt’s nur gesagt haben. Alle sinnvollen Kommentare werden natürlich veröffentlicht. Die paar, die es gibt 😉