Anything that stems this "omg, you have new messages... rly!" nonsense, is something I welcome with open arms.

--AGK

cbm.wikipedia wrote:

Add user name to the youhavenewmessages message

attachment messages.diff ignored as obsolete

cbm.wikipedia wrote:

Since there is no CURRENTUSER magic word, I don't think there is any way in wiki code to generate the name of the logged-in user. So just adding this to the bar should be enough to detect spoofs. I uploaded a patch.

cbm.wikipedia wrote:

updated patch (escape username)

Updated patch to escape username with wfEscapeWikiText()

attachment messages.diff ignored as obsolete

random832 wrote:

How about moving it out of the content area altogether? put it where the sitenotice normally is, for example.

NavouWiki wrote:

I've altered to minor, due to it being an exploitable issue. That being a UI spoof. Additionally, do we know if there is a status on this bug?

(In reply to comment #5)

How about moving it out of the content area altogether? put it where the
sitenotice normally is, for example.

bug 12681

sumanah wrote:

CBM, thanks for your patch. I'm sorry it took so long for you to get a response. Your patch doesn't apply to trunk anymore, since trunk has changed substantially in the past few years. If you have the time and the interest in revising it, please stop by MediaWiki-General on freenode IRC to chat about the best approach, so you don't end up redoing too much work. Thanks again!

sumanah wrote:

Santhosh verified that this bug is "easy" and suitable for a new MediaWik developer.

Patch to add username to notification message

I didnt think of UI spoofing, but one user had mentioned to me before, he thought the notification was some standard thing and never bothered to click it(and know talk page / messages left to him), never realized it was a notification for personal message left on talk.

Attached:

sumanah wrote:

Srikanth, thanks for the patch! Can I ask you to use developer access to directly suggest it into Git/Gerrit?

https://www.mediawiki.org/wiki/Git/Workflow#How_to_submit_a_patch in case you need that.

Sikranth, are you going to submit this for review? :)

(In reply to comment #1)

Anything that stems this "omg, you have new messages... rly!" nonsense, is
something I welcome with open arms.

--AGK

You know [[Special:Block]] is also good for that too... (Better one could even argue)

In regards to patch, the "You" should probably be lowercase since it no longer starts a sentence.

Actually thinking about this, the construction "<Username>, you have new messages" seems a tad artificial to me, but maybe that's just me.

Another option:

"You have new messages on User talk:<username>".

Thinking about the anons, "127.0.0.1, you have new messages" doesn't look good. "There are new messages for USERNAME" might be useful in separating that it was sent to the ip, no necessarily to the person reading it (I have been sent a message about vandalising, but I didn't edit anything!). OTOH, many newbies wouldn't think it's a message for them if we called them by IP address.

sumanah wrote:

Srikanth, I added the "design" keyword because I imagine the design group would have some feedback on this proposed change.

massaf wrote:

Thanks Sumana!

From a copy design perspective, I agree that "[Username], you have new messages" might sound too concierge-like, especially since most users aren't accustomed to having themselves addressed by their username in everyday conversation (as opposed to their real first name).

I like Bawolff's proposal:
"You have new messages on User talk:<username>"

"You" alone is attention-grabbing enough, in my experience. Some people will debate whether or not pronouns are OK in these situations, but until Echo handles notifications, I think this would be a fine approach to prevent UI spoofing.

Cheers,
Munaf

[removing keyword as design input was provided]