Make WordPress Core

Changeset 55289


Ignore:
Timestamp:
02/07/2023 06:52:24 PM (21 months ago)
Author:
jorbin
Message:

Comments: Improve rel attribute usage in comments.

Internal links should be followed and it should be easier to modify other rel attributes on comments. This adds a helper function for determining if a URL is internal and also adds some new filters to make it easy to modify rel attributes in comments.

Props thomasplevy, desrosj, sabernhardt, benish74, samiamnot, galbaras, jorbin.

Fixes #53290, #56444.

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/package.json

    r55275 r55289  
    177177        "env:logs": "node ./tools/local-env/scripts/docker.js logs",
    178178        "env:pull": "node ./tools/local-env/scripts/docker.js pull",
    179         "test:php": "node ./tools/local-env/scripts/docker.js run -T php composer update -W && node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit",
     179        "test:php": "node ./tools/local-env/scripts/docker.js run -T php composer update -W && node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --group formatting",
    180180        "test:e2e": "node ./tests/e2e/run-tests.js",
    181181        "test:visual": "node ./tests/visual-regression/run-tests.js",
  • trunk/src/wp-includes/comment-template.php

    r55287 r55289  
    219219 */
    220220function get_comment_author_link( $comment_ID = 0 ) {
    221     $comment = get_comment( $comment_ID );
    222     $url     = get_comment_author_url( $comment );
    223     $author  = get_comment_author( $comment );
     221    $comment    = get_comment( $comment_ID );
     222    $comment_ID = ! empty( $comment->comment_ID ) ? $comment->comment_ID : (string) $comment_ID;
     223    $url        = get_comment_author_url( $comment );
     224    $author     = get_comment_author( $comment );
    224225
    225226    if ( empty( $url ) || 'http://' === $url ) {
    226227        $return = $author;
    227228    } else {
    228         $return = "<a href='$url' rel='external nofollow ugc' class='url'>$author</a>";
     229        $rel_parts = array( 'ugc' );
     230        if ( ! wp_is_internal_link( $url ) ) {
     231            $rel_parts = array_merge(
     232                $rel_parts,
     233                array( 'external', 'nofollow' )
     234            );
     235        }
     236
     237        /**
     238         * Filters the rel attributes of the comment author's link.
     239         *
     240         * @since 6.2.0
     241         *
     242         * @param string[]   $rel_parts An array of strings representing the rel
     243         *                              tags which will be joined into the anchor's
     244         *                              rel attribute.
     245         * @param WP_Comment $comment   The comment object
     246         */
     247        $rel_parts = apply_filters( 'comment_author_link_rel', $rel_parts, $comment );
     248
     249        $rel = implode( ' ', $rel_parts );
     250        $rel = esc_attr( $rel );
     251        // empty space before rel necessary for later sprintf.
     252        $rel = ! empty( $rel ) ? sprintf( ' rel="%s"', $rel ) : '';
     253
     254        $return = sprintf(
     255            '<a href="%1$s" class="url"%2$s>%3$s</a>',
     256            $url,
     257            $rel,
     258            $author
     259        );
    229260    }
    230261
     
    240271     * @param string $comment_ID The comment ID as a numeric string.
    241272     */
    242     return apply_filters( 'get_comment_author_link', $return, $author, $comment->comment_ID );
     273    return apply_filters( 'get_comment_author_link', $return, $author, $comment_ID );
    243274}
    244275
  • trunk/src/wp-includes/formatting.php

    r55279 r55289  
    29182918    }
    29192919
    2920     if ( 'comment_text' === current_filter() ) {
    2921         $rel = 'nofollow ugc';
    2922     } else {
    2923         $rel = 'nofollow';
    2924     }
    2925 
    2926     /**
    2927      * Filters the rel value that is added to URL matches converted to links.
    2928      *
    2929      * @since 5.3.0
    2930      *
    2931      * @param string $rel The rel value.
    2932      * @param string $url The matched URL being converted to a link tag.
    2933      */
    2934     $rel = apply_filters( 'make_clickable_rel', $rel, $url );
    2935     $rel = esc_attr( $rel );
    2936 
    2937     return $matches[1] . "<a href=\"$url\" rel=\"$rel\">$url</a>" . $suffix;
     2920    $rel_attr = _make_clickable_rel_attr( $url );
     2921    return $matches[1] . "<a href=\"$url\"$rel_attr>$url</a>" . $suffix;
     2922
    29382923}
    29392924
     
    29662951    }
    29672952
    2968     if ( 'comment_text' === current_filter() ) {
    2969         $rel = 'nofollow ugc';
    2970     } else {
    2971         $rel = 'nofollow';
    2972     }
    2973 
    2974     /** This filter is documented in wp-includes/formatting.php */
    2975     $rel = apply_filters( 'make_clickable_rel', $rel, $dest );
    2976     $rel = esc_attr( $rel );
    2977 
    2978     return $matches[1] . "<a href=\"$dest\" rel=\"$rel\">$dest</a>$ret";
     2953    $rel_attr = _make_clickable_rel_attr( $dest );
     2954    return $matches[1] . "<a href='{$dest}'{$rel_attr}>{$dest}</a>{$ret}";
    29792955}
    29802956
     
    29932969    $email = $matches[2] . '@' . $matches[3];
    29942970    return $matches[1] . "<a href=\"mailto:$email\">$email</a>";
     2971}
     2972
     2973/**
     2974 * Helper function used to build the "rel" attribute for a URL when creating an anchor using make_clickable().
     2975 *
     2976 * @since 6.2.0
     2977 *
     2978 * @param string $url The URL.
     2979 * @return string The rel attribute for the anchor or an empty string if no rel attribute should be added.
     2980 */
     2981function _make_clickable_rel_attr( $url ) {
     2982
     2983    $rel_parts        = array();
     2984    $scheme           = strtolower( wp_parse_url( $url, PHP_URL_SCHEME ) );
     2985    $nofollow_schemes = array_intersect( wp_allowed_protocols(), array( 'https', 'http' ) );
     2986
     2987    // Apply "nofollow" to external links with qualifying URL schemes (mailto:, tel:, etc... shouldn't be followed).
     2988    if ( ! wp_is_internal_link( $url ) && in_array( $scheme, $nofollow_schemes, true ) ) {
     2989        $rel_parts[] = 'nofollow';
     2990    }
     2991
     2992    // Apply "ugc" when in comment context.
     2993    if ( 'comment_text' === current_filter() ) {
     2994        $rel_parts[] = 'ugc';
     2995    }
     2996
     2997    $rel = implode( ' ', $rel_parts );
     2998
     2999    /**
     3000     * Filters the rel value that is added to URL matches converted to links.
     3001     *
     3002     * @since 5.3.0
     3003     *
     3004     * @param string $rel The rel value.
     3005     * @param string $url The matched URL being converted to a link tag.
     3006     */
     3007    $rel = apply_filters( 'make_clickable_rel', $rel, $url );
     3008
     3009    $rel_attr = $rel ? ' rel="' . esc_attr( $rel ) . '"' : '';
     3010
     3011    return $rel_attr;
     3012
    29953013}
    29963014
     
    31383156    $atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
    31393157
    3140     if ( ! empty( $atts['href'] ) ) {
    3141         if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
    3142             if ( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
    3143                 return "<a $text>";
    3144             }
    3145         }
     3158    if ( ! empty( $atts['href'] ) && wp_is_internal_link( $atts['href']['value'] ) ) {
     3159        $rel = trim( str_replace( 'nofollow', '', $rel ) );
    31463160    }
    31473161
     
    31633177        $text = trim( $html );
    31643178    }
    3165     return "<a $text rel=\"" . esc_attr( $rel ) . '">';
     3179
     3180    $rel_attr = $rel ? ' rel="' . esc_attr( $rel ) . '"' : '';
     3181
     3182    return "<a {$text}{$rel_attr}>";
    31663183}
    31673184
  • trunk/src/wp-includes/link-template.php

    r55276 r55289  
    46894689    return '';
    46904690}
     4691
     4692/**
     4693 * Returns an array of URL hosts which are considered to be internal hosts.
     4694 *
     4695 * By default the list of internal hosts is comproside of the PHP_URL_HOST of
     4696 * the site's home_url() (as parsed by wp_parse_url()).
     4697 *
     4698 * This list is used when determining if a specificed URL is a link to a page on
     4699 * the site itself or a link offsite (to an external host). This is used, for
     4700 * example, when determining if the "nofollow" attribute should be applied to a
     4701 * link.
     4702 *
     4703 * @see wp_is_internal_link
     4704 *
     4705 * @since 6.2.0
     4706 *
     4707 * @return string[] An array of URL hosts.
     4708 */
     4709function wp_internal_hosts() {
     4710    static $internal_hosts;
     4711
     4712    if ( empty( $internal_hosts ) ) {
     4713        /**
     4714         * Filters the array of URL hosts which are considered internal.
     4715         *
     4716         * @since 6.2.9
     4717         *
     4718         * @param array $internal_hosts An array of internal URL hostnames.
     4719         */
     4720        $internal_hosts = apply_filters(
     4721            'wp_internal_hosts',
     4722            array(
     4723                wp_parse_url( home_url(), PHP_URL_HOST ),
     4724            )
     4725        );
     4726        $internal_hosts = array_unique(
     4727            array_map( 'strtolower', (array) $internal_hosts )
     4728        );
     4729    }
     4730
     4731    return $internal_hosts;
     4732}
     4733
     4734/**
     4735 * Determines whether or not the specified URL is of a host included in the internal hosts list.
     4736 *
     4737 * @see wp_internal_hosts()
     4738 *
     4739 * @since 6.2.0
     4740 *
     4741 * @param string $link The URL to test.
     4742 * @return bool Returns true for internal URLs and false for all other URLs.
     4743 */
     4744function wp_is_internal_link( $link ) {
     4745    $link = strtolower( $link );
     4746    if ( in_array( wp_parse_url( $link, PHP_URL_SCHEME ), wp_allowed_protocols(), true ) ) {
     4747        return in_array( wp_parse_url( $link, PHP_URL_HOST ), wp_internal_hosts(), true );
     4748    }
     4749    return false;
     4750}
  • trunk/tests/phpunit/tests/formatting/makeClickable.php

    r53562 r55289  
    109109        );
    110110        $urls_expected = array(
    111             '<a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>',
    112             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>. Alice!',
    113             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>, said Alice.',
    114             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>; said Alice.',
    115             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>: said Alice.',
    116             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>) said Alice.',
     111            "<a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>",
     112            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>. Alice!",
     113            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>, said Alice.",
     114            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>; said Alice.",
     115            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>: said Alice.",
     116            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>) said Alice.",
    117117        );
    118118
     
    136136        );
    137137        $urls_expected = array(
    138             '<a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>',
    139             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>.',
    140             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>,',
    141             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>;',
    142             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>:',
    143             'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>)',
     138            "<a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>",
     139            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>.",
     140            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>,",
     141            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>;",
     142            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>:",
     143            "There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>)",
    144144        );
    145145
     
    218218        );
    219219        $urls_expected = array(
    220             'Example: WordPress, test (some text), I love example.com (<a href="http://example.org" rel="nofollow">http://example.org</a>), it is brilliant',
     220            'Example: WordPress, test (some text), I love example.com (<a href="http://example.org">http://example.org</a>), it is brilliant',
    221221            'Example: WordPress, test (some text), I love example.com (<a href="http://example.com" rel="nofollow">http://example.com</a>), it is brilliant',
    222222            'Some text followed by a bracketed link with a trailing elipsis (<a href="http://example.com" rel="nofollow">http://example.com</a>)...',
     
    422422    /**
    423423     * @ticket 48022
     424     * @ticket 56444
    424425     * @dataProvider data_add_rel_ugc_in_comments
    425426     */
     
    439440
    440441    public function data_add_rel_ugc_in_comments() {
     442
     443        $home_url_http  = set_url_scheme( home_url(), 'http' );
     444        $home_url_https = set_url_scheme( home_url(), 'https' );
     445
    441446        return array(
     447            // @ticket 48022
    442448            array(
    443449                'http://wordpress.org',
     
    446452            array(
    447453                'www.wordpress.org',
    448                 '<p><a href="http://www.wordpress.org" rel="nofollow ugc">http://www.wordpress.org</a>',
     454                '<p><a href=\'http://www.wordpress.org\' rel="nofollow ugc">http://www.wordpress.org</a>',
     455            ),
     456            // @ticket 56444
     457            array(
     458                'www.example.org',
     459                '<p><a href=\'http://www.example.org\' rel="nofollow ugc">http://www.example.org</a>',
     460            ),
     461            array(
     462                $home_url_http,
     463                '<a href="' . $home_url_http . '" rel="ugc">' . $home_url_http . '</a>',
     464            ),
     465            array(
     466                $home_url_https,
     467                '<a href="' . $home_url_https . '" rel="ugc">' . $home_url_https . '</a>',
    449468            ),
    450469        );
  • trunk/tests/phpunit/tests/formatting/wpRelNofollow.php

    r53562 r55289  
    1212     */
    1313    public function test_add_no_follow() {
    14         if ( PHP_VERSION_ID >= 80100 ) {
    15             /*
    16              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    17              * via hooked in filter functions until a more structural solution to the
    18              * "missing input validation" conundrum has been architected and implemented.
    19              */
    20             $this->expectDeprecation();
    21             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    22         }
    23 
    2414        $content  = '<p>This is some cool <a href="/">Code</a></p>';
    2515        $expected = '<p>This is some cool <a href=\"/\" rel=\"nofollow\">Code</a></p>';
     
    3121     */
    3222    public function test_convert_no_follow() {
    33         if ( PHP_VERSION_ID >= 80100 ) {
    34             /*
    35              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    36              * via hooked in filter functions until a more structural solution to the
    37              * "missing input validation" conundrum has been architected and implemented.
    38              */
    39             $this->expectDeprecation();
    40             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    41         }
    42 
    4323        $content  = '<p>This is some cool <a href="/" rel="weird">Code</a></p>';
    4424        $expected = '<p>This is some cool <a href=\"/\" rel=\"weird nofollow\">Code</a></p>';
     
    5131     */
    5232    public function test_wp_rel_nofollow( $input, $output, $expect_deprecation = false ) {
    53         if ( true === $expect_deprecation && PHP_VERSION_ID >= 80100 ) {
    54             /*
    55              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    56              * via hooked in filter functions until a more structural solution to the
    57              * "missing input validation" conundrum has been architected and implemented.
    58              */
    59             $this->expectDeprecation();
    60             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    61         }
    62 
    6333        $this->assertSame( wp_slash( $output ), wp_rel_nofollow( $input ) );
    6434    }
     
    11080
    11181    public function test_append_no_follow_with_valueless_attribute() {
    112         if ( PHP_VERSION_ID >= 80100 ) {
    113             /*
    114              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    115              * via hooked in filter functions until a more structural solution to the
    116              * "missing input validation" conundrum has been architected and implemented.
    117              */
    118             $this->expectDeprecation();
    119             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    120         }
    121 
    12282        $content  = '<p>This is some cool <a href="demo.com" download rel="hola">Code</a></p>';
    12383        $expected = '<p>This is some cool <a href=\"demo.com\" download rel=\"hola nofollow\">Code</a></p>';
  • trunk/tests/phpunit/tests/formatting/wpRelUgc.php

    r53562 r55289  
    1212     */
    1313    public function test_add_ugc() {
    14         if ( PHP_VERSION_ID >= 80100 ) {
    15             /*
    16              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    17              * via hooked in filter functions until a more structural solution to the
    18              * "missing input validation" conundrum has been architected and implemented.
    19              */
    20             $this->expectDeprecation();
    21             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    22         }
    23 
    2414        $content  = '<p>This is some cool <a href="/">Code</a></p>';
    2515        $expected = '<p>This is some cool <a href=\"/\" rel=\"nofollow ugc\">Code</a></p>';
     
    3121     */
    3222    public function test_convert_ugc() {
    33         if ( PHP_VERSION_ID >= 80100 ) {
    34             /*
    35              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    36              * via hooked in filter functions until a more structural solution to the
    37              * "missing input validation" conundrum has been architected and implemented.
    38              */
    39             $this->expectDeprecation();
    40             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    41         }
    42 
    4323        $content  = '<p>This is some cool <a href="/" rel="weird">Code</a></p>';
    4424        $expected = '<p>This is some cool <a href=\"/\" rel=\"weird nofollow ugc\">Code</a></p>';
     
    5131     */
    5232    public function test_wp_rel_ugc( $input, $output, $expect_deprecation = false ) {
    53         if ( true === $expect_deprecation && PHP_VERSION_ID >= 80100 ) {
    54             /*
    55              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    56              * via hooked in filter functions until a more structural solution to the
    57              * "missing input validation" conundrum has been architected and implemented.
    58              */
    59             $this->expectDeprecation();
    60             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    61         }
    62 
    6333        $this->assertSame( wp_slash( $output ), wp_rel_ugc( $input ) );
    6434    }
     
    10070            array(
    10171                '<a href="' . $home_url_http . '/some-url">Home URL (http)</a>',
    102                 '<a href="' . $home_url_http . '/some-url">Home URL (http)</a>',
     72                '<a href="' . $home_url_http . '/some-url" rel="ugc">Home URL (http)</a>',
    10373            ),
    10474            array(
    10575                '<a href="' . $home_url_https . '/some-url">Home URL (https)</a>',
    106                 '<a href="' . $home_url_https . '/some-url">Home URL (https)</a>',
     76                '<a href="' . $home_url_https . '/some-url" rel="ugc">Home URL (https)</a>',
    10777            ),
    10878        );
     
    11080
    11181    public function test_append_ugc_with_valueless_attribute() {
    112         if ( PHP_VERSION_ID >= 80100 ) {
    113             /*
    114              * For the time being, ignoring PHP 8.1 "null to non-nullable" deprecations coming in
    115              * via hooked in filter functions until a more structural solution to the
    116              * "missing input validation" conundrum has been architected and implemented.
    117              */
    118             $this->expectDeprecation();
    119             $this->expectDeprecationMessageMatches( '`Passing null to parameter \#[0-9]+ \(\$[^\)]+\) of type [^ ]+ is deprecated`' );
    120         }
    12182
    12283        $content  = '<p>This is some cool <a href="demo.com" download rel="hola">Code</a></p>';
Note: See TracChangeset for help on using the changeset viewer.