Fixes #3411 output/url now has a is_trusted parameter - defaults to false

2 files changed, 17 insertions, 4 deletions

diff --git a/views/default/output/tag.php b/views/default/output/tag.php
index abae9c4b2..3c002a31b 100644
--- a/views/default/output/tag.php
+++ b/views/default/output/tag.php
@@ -26,5 +26,9 @@ if (isset($vars['value'])) {
 		$type = "";
 	}
 	$url = elgg_get_site_url() . 'search?q=' . urlencode($vars['value']) . "&search_type=tags{$type}{$subtype}{$object}";
-	echo elgg_view('output/url', array('href' => $url, 'text' => $vars['value'], 'rel' => 'tag'));
+	echo elgg_view('output/url', array(
+		'href' => $url,
+		'text' => $vars['value'],
+		'rel' => 'tag',
+	));
 }
diff --git a/views/default/output/url.php b/views/default/output/url.php
index 79ab52377..81b02087d 100644
--- a/views/default/output/url.php
+++ b/views/default/output/url.php
@@ -10,7 +10,7 @@
  * @uses string $vars['href']        The unencoded url string
  * @uses bool   $vars['encode_text'] Run $vars['text'] through htmlspecialchars() (false)
  * @uses bool   $vars['is_action']   Is this a link to an action (false)
- *
+ * @uses bool   $vars['is_trusted']  Is this link trusted (false)
  */
 
 $url = elgg_extract('href', $vars, null);
@@ -37,11 +37,20 @@ if ($url) {
 
 	if (elgg_extract('is_action', $vars, false)) {
 		$url = elgg_add_action_tokens_to_url($url, false);
-		unset($vars['is_action']);
+	}
+
+	if (!elgg_extract('is_trusted', $vars, false)) {
+		if (!isset($vars['rel'])) {
+			$vars['rel'] = 'nofollow';
+			$url = strip_tags($url);
+		}
 	}
 
 	$vars['href'] = $url;
 }
 
+unset($vars['is_action']);
+unset($vars['is_trusted']);
+
 $attributes = elgg_format_attributes($vars);
-echo "<a $attributes>$text</a>";
\ No newline at end of file
+echo "<a $attributes>$text</a>";