Ticket #48022: 48022.5.diff

src/wp-includes/comment-template.php

@@ -224 +224 @@
         if ( empty( $url ) || 'http://' == $url ) {
                 $return = $author;
         } else {
-                $return = "<a href='$url' rel='external nofollow' class='url'>$author</a>";
+                $return = "<a href='$url' rel='external nofollow ugc' class='url'>$author</a>";
         }
 
         /**

src/wp-includes/default-filters.php

@@ -246 +246 @@
 add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
 add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
 add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 );
-add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );
+add_filter( 'pre_comment_content', 'wp_rel_ugc', 15 );
 add_filter( 'comment_email', 'antispambot' );
 add_filter( 'option_tag_base', '_wp_filter_taxonomy_base' );
 add_filter( 'option_category_base', '_wp_filter_taxonomy_base' );

src/wp-includes/formatting.php

@@ -3071 +3071 @@
         return "<a $text rel=\"" . esc_attr( $rel ) . '">';
 }
 
+/**
+ * Adds rel ugc string to all HTML A elements in content.
+ *
+ * @since 5.3.0
+ *
+ * @param string $text Content that may contain HTML A elements.
+ * @return string Converted content.
+ */
+function wp_rel_ugc( $text ) {
+        // This is a pre save filter, so text is already escaped.
+        $text = stripslashes( $text );
+        $text = preg_replace_callback( '|<a (.+?)>|i', 'wp_rel_ugc_callback', $text );
+        return wp_slash( $text );
+}
+
+/**
+ * Callback to add rel=ugc string to HTML A element.
+ *
+ * Will remove already existing rel="ugc" and rel='ugc' from the
+ * string to prevent from invalidating (X)HTML.
+ *
+ * @since 5.3.0
+ *
+ * @param array $matches Single Match
+ * @return string HTML A Element with rel ugc.
+ */
+function wp_rel_ugc_callback( $matches ) {
+        $text = $matches[1];
+        $atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
+        $rel  = 'ugc nofollow';
+
+        if ( ! empty( $atts['href'] ) ) {
+                if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
+                        if ( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
+                                return "<a $text>";
+                        }
+                }
+        }
+
+        if ( ! empty( $atts['rel'] ) ) {
+                $parts = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
+                if ( false === array_search( 'ugc', $parts ) ) {
+                        $parts[] = 'ugc';
+                }
+                $rel = implode( ' ', $parts );
+                unset( $atts['rel'] );
+
+                $html = '';
+                foreach ( $atts as $name => $value ) {
+                        if ( isset( $value['vless'] ) && 'y' === $value['vless'] ) {
+                                $html .= $name . ' ';
+                        } else {
+                                $html .= "{$name}=\"" . esc_attr( $value['value'] ) . '" ';
+                        }
+                }
+                $text = trim( $html );
+        }
+        return "<a $text rel=\"" . esc_attr( $rel ) . '">';
+}
+
 /**
  * Adds rel noreferrer and noopener to all HTML A elements that have a target.
  *

new file tests/phpunit/tests/formatting/WPRelUgc.php

@@ +1 @@
+<?php
+
+/**
+ * @group formatting
+ */
+class Tests_Rel_Ugc extends WP_UnitTestCase {
+
+        /**
+         * @ticket 48022
+         */
+        public function test_add_ugc() {
+                $content  = '<p>This is some cool <a href="/">Code</a></p>';
+                $expected = '<p>This is some cool <a href=\"/\" rel=\"nofollow ugc\">Code</a></p>';
+                $this->assertEquals( $expected, wp_rel_ugc( $content ) );
+        }
+
+        /**
+         * @ticket 48022
+         */
+        public function test_convert_ugc() {
+                $content  = '<p>This is some cool <a href="/" rel="weird">Code</a></p>';
+                $expected = '<p>This is some cool <a href=\"/\" rel=\"weird nofollow ugc\">Code</a></p>';
+                $this->assertEquals( $expected, wp_rel_ugc( $content ) );
+        }
+
+        /**
+         * @ticket 48022
+         * @dataProvider data_wp_rel_ugc
+         */
+        public function test_wp_rel_ugc( $input, $output ) {
+                return $this->assertEquals( wp_slash( $output ), wp_rel_ugc( $input ) );
+        }
+
+        public function data_wp_rel_ugc() {
+                $home_url_http  = set_url_scheme( home_url(), 'http' );
+                $home_url_https = set_url_scheme( home_url(), 'https' );
+
+                return array(
+                        array(
+                                '<a href="">Double Quotes</a>',
+                                '<a href="" rel="nofollow ugc">Double Quotes</a>',
+                        ),
+                        array(
+                                '<a href="https://wordpress.org">Double Quotes</a>',
+                                '<a href="https://wordpress.org" rel="nofollow ugc">Double Quotes</a>',
+                        ),
+                        array(
+                                "<a href='https://wordpress.org'>Single Quotes</a>",
+                                "<a href='https://wordpress.org' rel=\"nofollow ugc\">Single Quotes</a>",
+                        ),
+                        array(
+                                '<a href="https://wordpress.org" title="Title">Multiple attributes</a>',
+                                '<a href="https://wordpress.org" title="Title" rel="nofollow ugc">Multiple attributes</a>',
+                        ),
+                        array(
+                                '<a title="Title" href="https://wordpress.org">Multiple attributes</a>',
+                                '<a title="Title" href="https://wordpress.org" rel="nofollow ugc">Multiple attributes</a>',
+                        ),
+                        array(
+                                '<a data-someflag href="https://wordpress.org">Multiple attributes</a>',
+                                '<a data-someflag href="https://wordpress.org" rel="nofollow ugc">Multiple attributes</a>',
+                        ),
+                        array(
+                                '<a  data-someflag  title="Title"  href="https://wordpress.org" onclick=""  >Everything at once</a>',
+                                '<a  data-someflag  title="Title"  href="https://wordpress.org" onclick=""   rel="nofollow ugc">Everything at once</a>',
+                        ),
+                        array(
+                                '<a href="' . $home_url_http . '/some-url">Home URL (http)</a>',
+                                '<a href="' . $home_url_http . '/some-url">Home URL (http)</a>',
+                        ),
+                        array(
+                                '<a href="' . $home_url_https . '/some-url">Home URL (https)</a>',
+                                '<a href="' . $home_url_https . '/some-url">Home URL (https)</a>',
+                        ),
+                );
+        }
+
+        public function test_append_ugc_with_valueless_attribute() {
+                $content  = '<p>This is some cool <a href="demo.com" download rel="hola">Code</a></p>';
+                $expected = '<p>This is some cool <a href=\"demo.com\" download rel=\"hola nofollow ugc\">Code</a></p>';
+                $this->assertEquals( $expected, wp_rel_ugc( $content ) );
+        }
+}