Bug 241124

Summary: Add rel="nofollow ugc" to all non-static link locations (Summary/URL/Comment fields and Attachment view (Details) ... etc)
Product: Services Reporter: Kubilay Kocak <koobs>
Component: Bug TrackerAssignee: Bugmeister <bugmeister>
Status: Open ---    
Severity: Affects Many People CC: cem, gonzo, grahamperrin
Priority: --- Keywords: needs-patch, needs-qa
Version: unspecified   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 240848    
Attachments:
Description Flags
test attachment containing plaintext URL and with https://arbitrary.url.com in description
none
test attachment containing plaintext URL and URL in <a> tags, and with https://arbitrary.url.com in description
none
test attachment containing URL in <a> tags, and with https://arbitrary.url.com in description
none
test attachment (text/html type) containing URL in <a> tags, and with https://arbitrary.url.com in description
none
test attachment containing URL in <a> tags, and with https://arbitrary.url.com in description
none
test attachment containing plaintext URL and URL in <a> tags, and with https://arbitrary.url.com in description
none
test attachment (text/html type) containing URL in <a> tags, and with https://arbitrary.url.com in description none

Description Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:04:02 UTC
Add rel="nofollow ugc" to all links in fields that can contain arbitrary URL's, in
at least the following fields, which have been tested/confirmed to allow arbitrary URL's:

- Summary
- URL
- Comments (including "Description" (comment 0))

See bug 240848 for details/context/analysis
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:05:20 UTC
Update should take the form of a PR against https://github.com/freebsd/bugzilla
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:11:56 UTC
Created attachment 208162 [details]
test attachment containing plaintext URL and with https://arbitrary.url.com in description
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:15:35 UTC
Created attachment 208163 [details]
test attachment containing plaintext URL and URL in <a> tags, and with https://arbitrary.url.com in description

test attachment containing plaintext arbitrary url and another contained within <a> tags
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:19:14 UTC
Created attachment 208164 [details]
test attachment containing URL in <a> tags, and with https://arbitrary.url.com in description
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:22:40 UTC
Created attachment 208165 [details]
test attachment (text/html type) containing URL in <a> tags, and with https://arbitrary.url.com in description
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:24:29 UTC
Created attachment 208166 [details]
test attachment containing URL in <a> tags, and with https://arbitrary.url.com in description
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:25:21 UTC
Created attachment 208167 [details]
test attachment containing plaintext URL and URL in <a> tags, and with https://arbitrary.url.com in description
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:26:14 UTC
Created attachment 208168 [details]
test attachment (text/html type) containing URL in <a> tags, and with https://arbitrary.url.com in description
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 02:31:39 UTC
In the case of a plaintext attachment containing URL's, these links are rendered as links in:

- the Attachment "Details" view (attachment.cgi?id=<attachmentID>&action=edit)
- <div id="attachment_view_window">

So rel should be added in these too. I cant get any other combinations (see the other attachments) to result in rendered links (only plaintext).
Comment 10 Conrad Meyer freebsd_committer freebsd_triage 2019-10-08 04:28:03 UTC
We probably don't need rel= links on self-links to our own bugzilla instance, right?
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 04:46:31 UTC
(In reply to Conrad Meyer from comment #10)

Yep, broadly speaking, but if we can avoid special casing or additional processing of comments for this case, that would be ideal, given:

Internal links are usually (and should be) represented using 'bug XXXX' or 'bug XXX comment XX' form (in comments), which are auto-linked by Bugzilla. 

Pasting full URL's to internal links in comments is generally to be avoided, and instead the above forms for auto-linking and/or the use of See Also: is what should be done.

There may be a case for us to program test/link conversion from the 'full url > internal form' for comments and/or other fields, if warranted/needed. We can look at that separately

I also didn't include 'See Also' in the fields to include the rel= treatment because the See Also: field is limited to a limited set of specific formats for bug trackers / etc.
Comment 12 Conrad Meyer freebsd_committer freebsd_triage 2019-10-08 05:13:41 UTC
I agree about comments; I was responding to your comment #9:

> In the case of a plaintext attachment containing URL's, these links are
> rendered as links in:
>
> - the Attachment "Details" view (attachment.cgi?id=<attachmentID>&action=edit)
> - <div id="attachment_view_window">
>
> So rel should be added in these too.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-08 06:01:42 UTC
(In reply to Conrad Meyer from comment #12)

Ah. No, not suggesting we add rel for internal links. comment 9 was just mentioning the bugzilla view where I found the issue.

Click "Details" for attachment 208162 [details] (Note: its only visible in the 'edit' sub view [1], not the attachment raw view [2])

[1] https://bugs.freebsd.org/bugzilla/attachment.cgi?id=208162&action=edit
[2] https://bugs.freebsd.org/bugzilla/attachment.cgi?id=208162
Comment 14 Conrad Meyer freebsd_committer freebsd_triage 2019-10-08 15:49:10 UTC
(In reply to Kubilay Kocak from comment #13)
Ah, apologies.  I misunderstood.  Carry on. :-)