Comments: Improve rel attribute usage in comments.

Internal links should be followed and it should be easier to modify other rel attributes on comments. This adds a helper function for determining if a URL is internal and also adds some new filters to make it easy to modify rel attributes in comments.

Props thomasplevy, desrosj, sabernhardt, benish74, samiamnot, galbaras, jorbin.

Fixes #53290, #56444.


git-svn-id: https://develop.svn.wordpress.org/trunk@55289 602fd350-edb4-49c9-b593-d223f7449a82

Author: aaronjorbin

package.json

@@ -176,7 +176,7 @@
 		"env:cli": "node ./tools/local-env/scripts/docker.js run cli",
 		"env:logs": "node ./tools/local-env/scripts/docker.js logs",
 		"env:pull": "node ./tools/local-env/scripts/docker.js pull",
-		"test:php": "node ./tools/local-env/scripts/docker.js run -T php composer update -W && node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit",
+		"test:php": "node ./tools/local-env/scripts/docker.js run -T php composer update -W && node ./tools/local-env/scripts/docker.js run php ./vendor/bin/phpunit --group formatting",
 		"test:e2e": "node ./tests/e2e/run-tests.js",
 		"test:visual": "node ./tests/visual-regression/run-tests.js",
 		"sync-gutenberg-packages": "grunt sync-gutenberg-packages",

src/wp-includes/comment-template.php

@@ -218,14 +218,45 @@ function get_comment_author_email_link( $linktext = '', $before = '', $after = '
  * @return string The comment author name or HTML link for author's URL.
  */
 function get_comment_author_link( $comment_ID = 0 ) {
-	$comment = get_comment( $comment_ID );
-	$url     = get_comment_author_url( $comment );
-	$author  = get_comment_author( $comment );
+	$comment    = get_comment( $comment_ID );
+	$comment_ID = ! empty( $comment->comment_ID ) ? $comment->comment_ID : (string) $comment_ID;
+	$url        = get_comment_author_url( $comment );
+	$author     = get_comment_author( $comment );
 
 	if ( empty( $url ) || 'http://' === $url ) {
 		$return = $author;
 	} else {
-		$return = "<a href='$url' rel='external nofollow ugc' class='url'>$author</a>";
+		$rel_parts = array( 'ugc' );
+		if ( ! wp_is_internal_link( $url ) ) {
+			$rel_parts = array_merge(
+				$rel_parts,
+				array( 'external', 'nofollow' )
+			);
+		}
+
+		/**
+		 * Filters the rel attributes of the comment author's link.
+		 *
+		 * @since 6.2.0
+		 *
+		 * @param string[]   $rel_parts An array of strings representing the rel
+		 *                              tags which will be joined into the anchor's
+		 *                              rel attribute.
+		 * @param WP_Comment $comment   The comment object
+		 */
+		$rel_parts = apply_filters( 'comment_author_link_rel', $rel_parts, $comment );
+
+		$rel = implode( ' ', $rel_parts );
+		$rel = esc_attr( $rel );
+		// empty space before rel necessary for later sprintf.
+		$rel = ! empty( $rel ) ? sprintf( ' rel="%s"', $rel ) : '';
+
+		$return = sprintf(
+			'<a href="%1$s" class="url"%2$s>%3$s</a>',
+			$url,
+			$rel,
+			$author
+		);
 	}
 
 	/**
@@ -239,7 +270,7 @@ function get_comment_author_link( $comment_ID = 0 ) {
 	 * @param string $author     The comment author's username.
 	 * @param string $comment_ID The comment ID as a numeric string.
 	 */
-	return apply_filters( 'get_comment_author_link', $return, $author, $comment->comment_ID );
+	return apply_filters( 'get_comment_author_link', $return, $author, $comment_ID );
 }
 
 /**

src/wp-includes/formatting.php

@@ -2917,24 +2917,9 @@ function _make_url_clickable_cb( $matches ) {
 		return $matches[0];
 	}
 
-	if ( 'comment_text' === current_filter() ) {
-		$rel = 'nofollow ugc';
-	} else {
-		$rel = 'nofollow';
-	}
-
-	/**
-	 * Filters the rel value that is added to URL matches converted to links.
-	 *
-	 * @since 5.3.0
-	 *
-	 * @param string $rel The rel value.
-	 * @param string $url The matched URL being converted to a link tag.
-	 */
-	$rel = apply_filters( 'make_clickable_rel', $rel, $url );
-	$rel = esc_attr( $rel );
+	$rel_attr = _make_clickable_rel_attr( $url );
+	return $matches[1] . "<a href=\"$url\"$rel_attr>$url</a>" . $suffix;
 
-	return $matches[1] . "<a href=\"$url\" rel=\"$rel\">$url</a>" . $suffix;
 }
 
 /**
@@ -2965,17 +2950,8 @@ function _make_web_ftp_clickable_cb( $matches ) {
 		return $matches[0];
 	}
 
-	if ( 'comment_text' === current_filter() ) {
-		$rel = 'nofollow ugc';
-	} else {
-		$rel = 'nofollow';
-	}
-
-	/** This filter is documented in wp-includes/formatting.php */
-	$rel = apply_filters( 'make_clickable_rel', $rel, $dest );
-	$rel = esc_attr( $rel );
-
-	return $matches[1] . "<a href=\"$dest\" rel=\"$rel\">$dest</a>$ret";
+	$rel_attr = _make_clickable_rel_attr( $dest );
+	return $matches[1] . "<a href='{$dest}'{$rel_attr}>{$dest}</a>{$ret}";
 }
 
 /**
@@ -2994,6 +2970,48 @@ function _make_email_clickable_cb( $matches ) {
 	return $matches[1] . "<a href=\"mailto:$email\">$email</a>";
 }
 
+/**
+ * Helper function used to build the "rel" attribute for a URL when creating an anchor using make_clickable().
+ *
+ * @since 6.2.0
+ *
+ * @param string $url The URL.
+ * @return string The rel attribute for the anchor or an empty string if no rel attribute should be added.
+ */
+function _make_clickable_rel_attr( $url ) {
+
+	$rel_parts        = array();
+	$scheme           = strtolower( wp_parse_url( $url, PHP_URL_SCHEME ) );
+	$nofollow_schemes = array_intersect( wp_allowed_protocols(), array( 'https', 'http' ) );
+
+	// Apply "nofollow" to external links with qualifying URL schemes (mailto:, tel:, etc... shouldn't be followed).
+	if ( ! wp_is_internal_link( $url ) && in_array( $scheme, $nofollow_schemes, true ) ) {
+		$rel_parts[] = 'nofollow';
+	}
+
+	// Apply "ugc" when in comment context.
+	if ( 'comment_text' === current_filter() ) {
+		$rel_parts[] = 'ugc';
+	}
+
+	$rel = implode( ' ', $rel_parts );
+
+	/**
+	 * Filters the rel value that is added to URL matches converted to links.
+	 *
+	 * @since 5.3.0
+	 *
+	 * @param string $rel The rel value.
+	 * @param string $url The matched URL being converted to a link tag.
+	 */
+	$rel = apply_filters( 'make_clickable_rel', $rel, $url );
+
+	$rel_attr = $rel ? ' rel="' . esc_attr( $rel ) . '"' : '';
+
+	return $rel_attr;
+
+}
+
 /**
  * Converts plaintext URI to HTML links.
  *
@@ -3137,12 +3155,8 @@ function wp_rel_callback( $matches, $rel ) {
 	$text = $matches[1];
 	$atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
 
-	if ( ! empty( $atts['href'] ) ) {
-		if ( in_array( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_SCHEME ) ), array( 'http', 'https' ), true ) ) {
-			if ( strtolower( wp_parse_url( $atts['href']['value'], PHP_URL_HOST ) ) === strtolower( wp_parse_url( home_url(), PHP_URL_HOST ) ) ) {
-				return "<a $text>";
-			}
-		}
+	if ( ! empty( $atts['href'] ) && wp_is_internal_link( $atts['href']['value'] ) ) {
+		$rel = trim( str_replace( 'nofollow', '', $rel ) );
 	}
 
 	if ( ! empty( $atts['rel'] ) ) {
@@ -3162,7 +3176,10 @@ function wp_rel_callback( $matches, $rel ) {
 		}
 		$text = trim( $html );
 	}
-	return "<a $text rel=\"" . esc_attr( $rel ) . '">';
+
+	$rel_attr = $rel ? ' rel="' . esc_attr( $rel ) . '"' : '';
+
+	return "<a {$text}{$rel_attr}>";
 }
 
 /**

src/wp-includes/link-template.php

@@ -4688,3 +4688,63 @@ function get_the_privacy_policy_link( $before = '', $after = '' ) {
 
 	return '';
 }
+
+/**
+ * Returns an array of URL hosts which are considered to be internal hosts.
+ *
+ * By default the list of internal hosts is comproside of the PHP_URL_HOST of
+ * the site's home_url() (as parsed by wp_parse_url()).
+ *
+ * This list is used when determining if a specificed URL is a link to a page on
+ * the site itself or a link offsite (to an external host). This is used, for
+ * example, when determining if the "nofollow" attribute should be applied to a
+ * link.
+ *
+ * @see wp_is_internal_link
+ *
+ * @since 6.2.0
+ *
+ * @return string[] An array of URL hosts.
+ */
+function wp_internal_hosts() {
+	static $internal_hosts;
+
+	if ( empty( $internal_hosts ) ) {
+		/**
+		 * Filters the array of URL hosts which are considered internal.
+		 *
+		 * @since 6.2.9
+		 *
+		 * @param array $internal_hosts An array of internal URL hostnames.
+		 */
+		$internal_hosts = apply_filters(
+			'wp_internal_hosts',
+			array(
+				wp_parse_url( home_url(), PHP_URL_HOST ),
+			)
+		);
+		$internal_hosts = array_unique(
+			array_map( 'strtolower', (array) $internal_hosts )
+		);
+	}
+
+	return $internal_hosts;
+}
+
+/**
+ * Determines whether or not the specified URL is of a host included in the internal hosts list.
+ *
+ * @see wp_internal_hosts()
+ *
+ * @since 6.2.0
+ *
+ * @param string $link The URL to test.
+ * @return bool Returns true for internal URLs and false for all other URLs.
+ */
+function wp_is_internal_link( $link ) {
+	$link = strtolower( $link );
+	if ( in_array( wp_parse_url( $link, PHP_URL_SCHEME ), wp_allowed_protocols(), true ) ) {
+		return in_array( wp_parse_url( $link, PHP_URL_HOST ), wp_internal_hosts(), true );
+	}
+	return false;
+}

tests/phpunit/tests/formatting/makeClickable.php

@@ -108,12 +108,12 @@ public function test_strip_trailing_without_protocol() {
 			'There was a spoon named www.wordpress.org) said Alice.',
 		);
 		$urls_expected = array(
-			'<a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>. Alice!',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>, said Alice.',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>; said Alice.',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>: said Alice.',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>) said Alice.',
+			"<a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>. Alice!",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>, said Alice.",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>; said Alice.",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>: said Alice.",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>) said Alice.",
 		);
 
 		foreach ( $urls_before as $key => $url ) {
@@ -135,12 +135,12 @@ public function test_strip_trailing_without_protocol_nothing_afterwards() {
 			'There was a spoon named www.wordpress.org)',
 		);
 		$urls_expected = array(
-			'<a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>.',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>,',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>;',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>:',
-			'There was a spoon named <a href="http://www.wordpress.org" rel="nofollow">http://www.wordpress.org</a>)',
+			"<a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>.",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>,",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>;",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>:",
+			"There was a spoon named <a href='http://www.wordpress.org' rel=\"nofollow\">http://www.wordpress.org</a>)",
 		);
 
 		foreach ( $urls_before as $key => $url ) {
@@ -217,7 +217,7 @@ public function test_real_world_examples() {
 			'In his famous speech “You and Your research” (here: http://www.cs.virginia.edu/~robins/YouAndYourResearch.html) Richard Hamming wrote about people getting more done with their doors closed...',
 		);
 		$urls_expected = array(
-			'Example: WordPress, test (some text), I love example.com (<a href="http://example.org" rel="nofollow">http://example.org</a>), it is brilliant',
+			'Example: WordPress, test (some text), I love example.com (<a href="http://example.org">http://example.org</a>), it is brilliant',
 			'Example: WordPress, test (some text), I love example.com (<a href="http://example.com" rel="nofollow">http://example.com</a>), it is brilliant',
 			'Some text followed by a bracketed link with a trailing elipsis (<a href="http://example.com" rel="nofollow">http://example.com</a>)...',
 			'In his famous speech “You and Your research” (here: <a href="http://www.cs.virginia.edu/~robins/YouAndYourResearch.html" rel="nofollow">http://www.cs.virginia.edu/~robins/YouAndYourResearch.html</a>) Richard Hamming wrote about people getting more done with their doors closed...',
@@ -421,6 +421,7 @@ public function data_script_and_style_tags() {
 
 	/**
 	 * @ticket 48022
+	 * @ticket 56444
 	 * @dataProvider data_add_rel_ugc_in_comments
 	 */
 	public function test_add_rel_ugc_in_comments( $content, $expected ) {
@@ -438,14 +439,32 @@ public function test_add_rel_ugc_in_comments( $content, $expected ) {
 	}
 
 	public function data_add_rel_ugc_in_comments() {
+
+		$home_url_http  = set_url_scheme( home_url(), 'http' );
+		$home_url_https = set_url_scheme( home_url(), 'https' );
+
 		return array(
+			// @ticket 48022
 			array(
 				'http://wordpress.org',
 				'<a href="http://wordpress.org" rel="nofollow ugc">http://wordpress.org</a>',
 			),
 			array(
 				'www.wordpress.org',
-				'<p><a href="http://www.wordpress.org" rel="nofollow ugc">http://www.wordpress.org</a>',
+				'<p><a href=\'http://www.wordpress.org\' rel="nofollow ugc">http://www.wordpress.org</a>',
+			),
+			// @ticket 56444
+			array(
+				'www.example.org',
+				'<p><a href=\'http://www.example.org\' rel="nofollow ugc">http://www.example.org</a>',
+			),
+			array(
+				$home_url_http,
+				'<a href="' . $home_url_http . '" rel="ugc">' . $home_url_http . '</a>',
+			),
+			array(
+				$home_url_https,
+				'<a href="' . $home_url_https . '" rel="ugc">' . $home_url_https . '</a>',
 			),
 		);
 	}