Comments: Add `rel="nofollow ugc"` attribute to links in comments.

UGC stands for User Generated Content, and the `ugc` attribute value is recommended for links within user generated content, such as comments and forum posts. See https://webmasters.googleblog.com/2019/09/evolving-nofollow-new-ways-to-identify.html. Props audrasjb, joostdevalk, dkarfa, SergeyBiryukov. Fixes #48022. Built from https://develop.svn.wordpress.org/trunk@46349 git-svn-id: http://core.svn.wordpress.org/trunk@46148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-09-30 01:30:58 +00:00 · 2019-09-30 01:30:58 +00:00 · 2afdc64723
parent 8cb7c5c764
commit 2afdc64723
4 changed files with 72 additions and 32 deletions
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@ -224,7 +224,7 @@ function get_comment_author_link( $comment_ID = 0 ) {
 	if ( empty( $url ) || 'http://' == $url ) {
 		$return = $author;
 	} else {
-		$return = "<a href='$url' rel='external nofollow' class='url'>$author</a>";
+		$return = "<a href='$url' rel='external nofollow ugc' class='url'>$author</a>";
 	}

 	/**
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@ -246,7 +246,7 @@ add_filter( 'pre_kses', 'wp_pre_kses_less_than' );
 add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
 add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
 add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 );
-add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );
+add_filter( 'pre_comment_content', 'wp_rel_ugc', 15 );
 add_filter( 'comment_email', 'antispambot' );
 add_filter( 'option_tag_base', '_wp_filter_taxonomy_base' );
 add_filter( 'option_category_base', '_wp_filter_taxonomy_base' );
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -3012,35 +3012,19 @@ function _split_str_by_whitespace( $string, $goal ) {
 }

 /**
- * Adds rel nofollow string to all HTML A elements in content.
+ * Callback to add a rel attribute to HTML A element.
 *
- * @since 1.5.0
+ * Will remove already existing string before adding to prevent invalidating (X)HTML.
 *
- * @param string $text Content that may contain HTML A elements.
- * @return string Converted content.
+ * @since 5.3.0
+ *
+ * @param array  $matches Single match.
+ * @param string $rel     The rel attribute to add.
+ * @return string HTML A element with the added rel attribute.
 */
-function wp_rel_nofollow( $text ) {
-	// This is a pre save filter, so text is already escaped.
-	$text = stripslashes( $text );
-	$text = preg_replace_callback( '|<a (.+?)>|i', 'wp_rel_nofollow_callback', $text );
-	return wp_slash( $text );
-}
-
-/**
- * Callback to add rel=nofollow string to HTML A element.
- *
- * Will remove already existing rel="nofollow" and rel='nofollow' from the
- * string to prevent from invalidating (X)HTML.
- *
- * @since 2.3.0
- *
- * @param array $matches Single Match
- * @return string HTML A Element with rel nofollow.
- */
-function wp_rel_nofollow_callback( $matches ) {
+function wp_rel_callback( $matches, $rel ) {
 	$text = $matches[1];
 	$atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
-	$rel  = 'nofollow';

 	if ( ! empty( $atts['href'] ) ) {
 		if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
@ -3051,11 +3035,10 @@ function wp_rel_nofollow_callback( $matches ) {
 	}

 	if ( ! empty( $atts['rel'] ) ) {
-		$parts = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
-		if ( false === array_search( 'nofollow', $parts ) ) {
-			$parts[] = 'nofollow';
-		}
-		$rel = implode( ' ', $parts );
+		$parts     = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
+		$rel_array = array_map( 'trim', explode( ' ', $rel ) );
+		$parts     = array_unique( array_merge( $parts, $rel_array ) );
+		$rel       = implode( ' ', $parts );
 		unset( $atts['rel'] );

 		$html = '';
@ -3071,6 +3054,63 @@ function wp_rel_nofollow_callback( $matches ) {
 	return "<a $text rel=\"" . esc_attr( $rel ) . '">';
 }

+/**
+ * Adds `rel="nofollow"` string to all HTML A elements in content.
+ *
+ * @since 1.5.0
+ *
+ * @param string $text Content that may contain HTML A elements.
+ * @return string Converted content.
+ */
+function wp_rel_nofollow( $text ) {
+	// This is a pre save filter, so text is already escaped.
+	$text = stripslashes( $text );
+	$rel  = 'nofollow';
+	$text = preg_replace_callback(
+		'|<a (.+?)>|i',
+		function( $matches ) use ( $rel ) {
+			return wp_rel_callback( $matches, $rel );
+		},
+		$text
+	);
+	return wp_slash( $text );
+}
+
+/**
+ * Callback to add `rel="nofollow"` string to HTML A element.
+ *
+ * @since 2.3.0
+ * @deprecated 5.3.0 Use wp_rel_callback()
+ *
+ * @param array $matches Single match.
+ * @return string HTML A Element with `rel="nofollow"`.
+ */
+function wp_rel_nofollow_callback( $matches ) {
+	return wp_rel_callback( $matches, 'nofollow' );
+}
+
+/**
+ * Adds `rel="nofollow ugc"` string to all HTML A elements in content.
+ *
+ * @since 5.3.0
+ *
+ * @param string $text Content that may contain HTML A elements.
+ * @return string Converted content.
+ */
+function wp_rel_ugc( $text ) {
+	// This is a pre save filter, so text is already escaped.
+	$text = stripslashes( $text );
+	$rel  = 'nofollow ugc';
+	$text = preg_replace_callback(
+		'|<a (.+?)>|i',
+		function( $matches ) use ( $rel ) {
+			return wp_rel_callback( $matches, $rel );
+		},
+		$text
+	);
+	return wp_slash( $text );
+}
+
 /**
 * Adds rel noreferrer and noopener to all HTML A elements that have a target.
 *
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -13,7 +13,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.3-beta1-46348';
+$wp_version = '5.3-beta1-46349';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.