Profile fields are user-created (and can be modified by users at any time), and thus they could potentially be spam. Therefore, profile URLs should be protected with the link condom. i.e. links to URLs in people's profile should have rel="nofollow"

CommentFileSizeAuthor
#26 102468_nofollow_8.patch761 bytesbangalos
#25 102468_nofollow.patch761 bytesbangalos
#23 102468_nofollow.patch715 bytesbangalos
#17 relNoFoloow.patch887 bytesaspilicious
#5 profile-link-condom-102468.patch.txt901 bytesWesley Tanaka
#3 102468.patch_1.txt706 bytesWesley Tanaka
#2 102468.patch_0.txt879 bytesWesley Tanaka
#1 102468.patch.txt417 bytesWesley Tanaka

Comments

Wesley Tanaka’s picture

Wesley Tanaka commented
Status: Active » Needs review
StatusFileSize
new 102468.patch.txt417 bytes

patch against HEAD

Wesley Tanaka’s picture

Wesley Tanaka commented
StatusFileSize
new 102468.patch_0.txt879 bytes

identical patch against head in -U 3 format (sorry about previous patch)

Wesley Tanaka’s picture

Wesley Tanaka commented
StatusFileSize
new 102468.patch_1.txt706 bytes

Same patch against 4.7 branch's profile.module,v 1.154.2.6

dries’s picture

dries commented
Status: Needs review » Needs work

Not sure I agree. They don't have to be spam. Drupal has a filter-option that allows you to enable/disable the link condom. Maybe we should use the profile module to use that filter option.

Wesley Tanaka’s picture

Wesley Tanaka commented
Status: Needs work » Needs review
StatusFileSize
new profile-link-condom-102468.patch.txt901 bytes

Profile links are as likely to be spam as any other posted content. If rel=nofollow is potentially useful for posted comment, it is also potentially useful for profile links.

The only reference to "rel.*nofollow" I found in the codebase is in _filter_html($text, $format). Attaching a patch which runs the profile link through that function.

Wesley Tanaka’s picture

Wesley Tanaka commented

That didn't come out too clearly. I meant to say:

If we think it's worthwhile to protect against spam links in posted content*, we should also protect against spam links posted in users' profiles.

-----
* which we do

drumm’s picture

drumm
he/him
Location NY, US
commented
Title: profile.module link condom » Add rel="nofollow" to profile url fields
Version: 5.x-dev » 6.x-dev
Category: bug » task
sime’s picture

sime
any/any
Location Melbourne
commented
Status: Needs review » Reviewed & tested by the community

Patch applied.

I set 'format_default_nofollow_0' = TRUE in settings.php (don't think this can be set in UI which is OK IMO)

nofollow applied to profile url as advertised.

I like the option.

dries’s picture

dries commented
Version: 6.x-dev » 7.x-dev
sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Reviewed & tested by the community » Postponed
catch’s picture

catch
he/him
Primary language English
commented
Status: Postponed » Needs review

Still applies with offset.

nonenone’s picture

nonenone commented

Only local images are allowed.
It worked fine for me.
Only local images are allowed.
Thanks it was a great advice.
Only local images are allowed.
Only local images are allowed.
Only local images are allowed.
Only local images are allowed.

birdmanx35’s picture

birdmanx35 commented

This still applies cleanly to core!

gearhead’s picture

gearhead commented
Version: 7.x-dev » 5.7

Is there a module that does this?

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Version: 5.7 » 7.x-dev

Resetting version.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs review » Needs work

No longer applies to 7.x.

aspilicious’s picture

aspilicious commented
StatusFileSize
new relNoFoloow.patch887 bytes

This one does (2 years after last post :p)

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Needs work » Needs review
p.selfin’s picture

p.selfin commented

suscribe

andyceo’s picture

andyceo commented

I think this functionality should be optional. So, if it is not in core, this must be in contributed module.

bangalos’s picture

bangalos commented

#17: relNoFoloow.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, relNoFoloow.patch, failed testing.

bangalos’s picture

bangalos commented
Status: Needs work » Needs review
StatusFileSize
new 102468_nofollow.patch715 bytes

This patch applies against 7.x-dev. This was done during Drupal Patch Bingo at Droplabs

Status: Needs review » Needs work

The last submitted patch, 102468_nofollow.patch, failed testing.

bangalos’s picture

bangalos commented
Status: Needs work » Needs review
StatusFileSize
new 102468_nofollow.patch761 bytes

This time, I did a real git diff instead of regular diff.

bangalos’s picture

bangalos commented
Version: 7.x-dev » 8.x-dev
StatusFileSize
new 102468_nofollow_8.patch761 bytes

Applying the same patch to Drupal 8.

bangalos’s picture

bangalos commented
Status: Needs review » Active

The "URL" Profile field no longer exists in Drupal 7 or Drupal 8! Even though the patch may apply, this issue is irrelevant IMHO. Detailed explanation follows:

In Drupal 6, there is Profile.

In Drupal 7, there is no admin interface to add URL field.

Is this a bug, or should we write a patch to remove this code?

bangalos’s picture

bangalos commented

It looks like this issue depends on #501434: Move Link/URL field type into core which is newer and in drupal-8 queue.

The only reason to keep this code seems to be backwards-compatibility with drupal-6. So, a good patch to do would be to comment the code with this reason. Right?

laura s’s picture

laura s commented

Related: #301071: Remove profile module from core

ParisLiakos’s picture

ParisLiakos commented
Version: 8.x-dev » 7.x-dev

profile is not in 8.x now

Status: Active » Closed (outdated)

Automatically closed because Drupal 7 security and bugfix support has ended as of 5 January 2025. If the issue verifiably applies to later versions, please reopen with details and update the version.