Roundup Tracker - Issues

Issue 2551098

classification
Links created in markdown are missing rel="noreferer nofollow"
Type: security Severity: minor
Components: Web interface Versions: 2.0.0
process
Status: fixed fixed
:
: rouilj : rouilj
Priority: low : Effort-Low, GSOC

Created on 2020-10-30 03:57 by rouilj, last changed 2020-10-31 18:59 by rouilj.

Messages
msg7017 Author: [hidden] (rouilj) Date: 2020-10-30 03:57
Currently links entered using markdown formatting do not have the 
nofollow/noreferer relations. These relations are present to reduce the 
value of link spamming.

In msg7010 Cedric indicates there is an option to do this in markdown2
but not mistune or markdown.

It looks like both mistune and markdown support plugins. So we could
write plugins that can add this attribute and initialize the markdown
interpreters to use the plugin.

I think this should always be enabled just like normal text format.
Note that it is enabled only for non-self-referring url's. So issue234
msg20 etc. links do not have the anti-spam relations.
msg7018 Author: [hidden] (rouilj) Date: 2020-10-31 18:59
Committed in rev 6282:d30501bafdfb.

Now rel="nofollow" is added to links generated by markdown2 backends
and rel="nofollow noopener" for mistune and markdown backends.

Markdown2 isn't as programable as the other two backends so I used the
built-in nofollow support. This means that a user that generates a
link that opens in a new window can manipulate the parent window, not
great but monkey patching etc. is too fragile.

Markdown ads nofollow to all links including mailto etc. The other
backends add it only for http* type links.

Testing required a special mangler that converts markdown2 output
into the same output we get from markdown and mistune. This way
I have one valid test result for all three backends.
History
Date User Action Args
2020-10-31 18:59:29rouiljsetstatus: new -> fixed
assignee: rouilj
resolution: fixed
messages: + msg7018
2020-10-30 03:57:12rouiljcreate