Deleted comments can be seen in the HTML code

[isagoico]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Navigate to a conversation
2. Send a message
3. Edit the message and delete all of the content
4. Navigate to console tools > Network

Expected Result:

Deleted comment should not be accessible by the user in any part of the code.

Actual Result:

Deleted comment can be seen in the HTML code.

Workaround:

Not sure if this needs a workaround.

Platform:

Where is this issue occurring?

• Web

Version Number: 1.1.2-5

Reproducible in staging?: yes
Reproducible in production?: yes

Logs: https://stackoverflow.com/c/expensify/questions/4856

Notes/Photos/Videos: Any additional supporting documentation

htmlcode.mp4

Expensify/Expensify Issue URL:

Issue reported by: @akshayasalvi
Slack conversation: https://expensify.slack.com/archives/C01GTK53T8Q/p1632613507072000

View all open jobs on GitHub

[MelvinBot]

Triggered auto assignment to @NikkiWines (Engineering), see https://stackoverflow.com/c/expensify/questions/4319 for more details.

[isagoico]

Please check the thread here https://expensify.slack.com/archives/C01GTK53T8Q/p1632613507072000 it has more context on the issue

[NikkiWines]

Looks good for UpWork 👍 applying External label

[MelvinBot]

Triggered auto assignment to @SofiedeVreese (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[akshayasalvi]

@NikkiWines This issue might have to be fixed from the backend. So contributors can work on the backend repo also ?

[NikkiWines]

oops, yes you're right @akshayasalvi, I misread the slack thread and though we could implement your suggestions here but it does seem like this'll be backend work which contributors do not have access to.

[parasharrajat]

Hey guys, I don't think this is really a issue, It does not affect the user at all.

On the other hand, delete message functionality is built in this way that message are there just they are hidden from the user.

I don't think any Normal user will spy the network tab after deleting a message to find the deleted messages.

Also, if someone is spying on messages with his account than its does not effect anything. Basically, you can check the network tab while making a bank payment and you would be able to see your password but that doesn't mean your password is not safe.

---

If we really want to tackle this then we have to change the delete message functionality of the app.

[NikkiWines]

Hmm, I'm not sure I agree. After all, the deleted message persists in the message history beyond just checking the network tab immediately after deleting. The user could log out and log back in (or have their account taken over) and you'd still be able to find the old "deleted" message in the network tab after navigating to the chat.

Not saying it's a huge issue, but the deleted messages aren't truly being deleted if we keep a record of them that you can find with relative ease.

[akshayasalvi]

@parasharrajat The issue is that the recipients can see the deleted messages in the network tab.

1. User A sends a message to User B
2. User A then deletes the message
3. User B can still see the message in the edits tag.

[MelvinBot]

@NikkiWines Huh... This is 4 days overdue. Who can take care of this?

[MelvinBot]

@NikkiWines 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[NikkiWines]

Working on this issue this week

[MelvinBot]

@NikkiWines Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[NikkiWines]

PR is on hold due to N6 feature freeze.

[yuwenmemon]

Sorry, just saw this one for some reason. I believe the original design for this called for keeping edits even when a comment is deleted. (Since deleting a comment is just like editing a comment to be empty). One thing we could do is not send the edit history over the API when a comment is deleted. However, I'm not sure if removing the comment history entirely from storage like we're doing in the linked PR gains us anything.

[NikkiWines]

Oh cool, I didn't realize our original design aimed to keep the edits even for deleted comments.

In that case, I guess we do nothing? I'm happy to look into not sending the edit history as well if we do want to modify this, but if it's working as intended I don't see why we should change it.

[akshayasalvi]

Based on the discussion in slack @chiragsalian had also mentioned the same thing. We shouldn’t send edit history to the user in the API response.

[yuwenmemon]

We shouldn’t send edit history to the user in the API response.

Yep. I think this is the best way to handle this issue.

[MelvinBot]

This issue has not been updated in over 15 days. @NikkiWines eroding to Monthly issue.

P.S. Is everyone reading this sure this is really a near-term priority? Be brave: if you disagree, go ahead and close it out. If someone disagrees, they'll reopen it, and if they don't: one less thing to do!

[NikkiWines]

Oh oops, the fix for this has been on prod for roughly 2 weeks now. Closing!

[akshayasalvi]

@NikkiWines @mallenexpensify There'll be a payment for reporting this?

[mallenexpensify]

@akshayasalvi Thanks for the ping. Can you apply here please? And confirm in a comment here when you do?
https://www.upwork.com/jobs/~01a9a9596e5085e734

[akshayasalvi]

Done, @mallenexpensify

[MelvinBot]

📣 @akshayasalvi You have been assigned to this job by @mallenexpensify!
Please apply to this job in Upwork and let us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[mallenexpensify]

Hired @akshayasalvi in Upwork, can you confirm here once the offer had been accepted and I'll pay?

[akshayasalvi]

Accepted :)

[mallenexpensify]

Paid! Thanks @akshayasalvi !