maximum number of links in comment "exploit"

[Ozh]

Function 'check_comment' in comment-functions.php counts the number of 'http:' occurences. So a spammer can post as much links as wished if typed this way :
<a href="crapsite.com">link</a>

[skippy]

Should check_comment check non-http links? FTP / https / ??

Is this a big deal?

[markjaquith]

well, the site.com links would be clickable... so they should probably get counted. I don't think https or FTP is going to be a problem, though.

We could count href="​http:// and href=" and combine the two, or move to a regex. Also have to consider href='​http:// and href=' so it might be time to go the regex route.

Another issue: <a href="​http://site.com/">​http://site.com/</a> gets penalized twice with the current situation, and if you're using a formatting filter on your comments, those links could get through on their own. Should we be processing the comment text filters before looking for links? That's how it's going to appear on your site...

[davidhouse]

The quotes are optional in HTML, so don't require their presence. I.e., <a href=​http://example.com>blah</a> works in most browsers. I'd suggest checking with:

#href=('|")?(https?:)?("|')?#

[Nazgul]

This ticket hasn't been updated in ages, but I think it's still valid.

I've created a patch for it which should cover most of the given scenarios, but some feedback would be appreciated.

[foolswisdom]

Clearing owner = skippy

[Nazgul]

Updated patch, based on feedback on IRC:

[06:29] MarkJaquith: BasB: regarding the \/\/ part (​http://) ... you're using pipes to delimit the regex, so you shouldn't have to escape those forward slashes
[06:30] MarkJaquith: oh, and let's make it case insensitive

Also marking this as a 2.0.5 candidate.

[markjaquith]

(In [4299]) comment link counting improvements from Nazgul. fixes: #938

[foolswisdom]

[4300] same fix for branches/2.0 -> 2.0.5

[(none)]

Milestone 2.0.5 deleted