Permalink
Browse files

fix(output): fixes handling of untrusted URLs in output/url

All untrusted URLs are now stripped of tags. Rel is set to "nofollow" only on external links.

Fixes #9146
  • Loading branch information...
hypeJunction committed Dec 8, 2015
1 parent ba268bf commit 217e4df6ea186660c85310a57e1218eb54ec90d1
Showing with 13 additions and 3 deletions.
  1. +13 −3 views/default/output/url.php
@@ -56,10 +56,20 @@
$url = elgg_add_action_tokens_to_url($url, false);
}
if (!elgg_extract('is_trusted', $vars, false)) {
$is_trusted = elgg_extract('is_trusted', $vars);
if (!$is_trusted) {
$url = strip_tags($url);
if (!isset($vars['rel'])) {
$vars['rel'] = 'nofollow';
$url = strip_tags($url);
if ($is_trusted === null) {
$url_host = parse_url($url, PHP_URL_HOST);
$site_url = elgg_get_site_url();
$site_url_host = parse_url($site_url, PHP_URL_HOST);
$is_trusted = $url_host == $site_url_host;
}
if ($is_trusted === false) {
// this is an external URL, which we do not want to be indexed by crawlers
$vars['rel'] = 'nofollow';
}
}
}

6 comments on commit 217e4df

@gerard-kanters

This comment has been minimized.

Show comment
Hide comment
@gerard-kanters

gerard-kanters Aug 20, 2017

Contributor

Why is this required ? htmlawed will already tag external links as nofollow. I wrote a plugin hook to override that with sites that have good control over links and want them to be followd. Now you need to override this view too.

Contributor

gerard-kanters replied Aug 20, 2017

Why is this required ? htmlawed will already tag external links as nofollow. I wrote a plugin hook to override that with sites that have good control over links and want them to be followd. Now you need to override this view too.

@hypeJunction

This comment has been minimized.

Show comment
Hide comment
@hypeJunction

hypeJunction Aug 20, 2017

Contributor

And what does htmlawed have to do with anything? We output user inputted URLs all the time, see profile plugin, for example.

Contributor

hypeJunction replied Aug 20, 2017

And what does htmlawed have to do with anything? We output user inputted URLs all the time, see profile plugin, for example.

@gerard-kanters

This comment has been minimized.

Show comment
Hide comment
@gerard-kanters

gerard-kanters Aug 20, 2017

Contributor

Htmlawed does that too. See

// add nofollow to all links on output
if (!elgg_in_context('input')) {
$htmlawed_config['anti_link_spam'] = array('/./', '');
}

Contributor

gerard-kanters replied Aug 20, 2017

Htmlawed does that too. See

// add nofollow to all links on output
if (!elgg_in_context('input')) {
$htmlawed_config['anti_link_spam'] = array('/./', '');
}

@hypeJunction

This comment has been minimized.

Show comment
Hide comment
@hypeJunction

hypeJunction Aug 20, 2017

Contributor

None of it applies to non-text inputs.

$user->facebook_url = get_input('facebook_url');

echo elgg_view('output/url', [
   'href' => $user->facebook_url,
]);
Contributor

hypeJunction replied Aug 20, 2017

None of it applies to non-text inputs.

$user->facebook_url = get_input('facebook_url');

echo elgg_view('output/url', [
   'href' => $user->facebook_url,
]);
@gerard-kanters

This comment has been minimized.

Show comment
Hide comment
@gerard-kanters

gerard-kanters Aug 20, 2017

Contributor

Ah yes, I see. Wouldn't it be possible to solve it in one place and the ability to override it with a plugin_hook (or 2). Now nofollow links are scattered in different code.

Contributor

gerard-kanters replied Aug 20, 2017

Ah yes, I see. Wouldn't it be possible to solve it in one place and the ability to override it with a plugin_hook (or 2). Now nofollow links are scattered in different code.

@hypeJunction

This comment has been minimized.

Show comment
Hide comment
@hypeJunction

hypeJunction Aug 20, 2017

Contributor

You can override that value with view_vars, output/url hook.

Contributor

hypeJunction replied Aug 20, 2017

You can override that value with view_vars, output/url hook.

Please sign in to comment.