From d5f0d44d4ddf33db2248ef0bdd44633d57c31683 Mon Sep 17 00:00:00 2001
From: Cash Costello <cash.costello@gmail.com>
Date: Sat, 8 Oct 2011 08:22:08 -0400
Subject: Fixes #3411 output/url now has a is_trusted parameter - defaults to
 false

---
 views/default/admin/appearance/default_widgets.php |  1 +
 .../admin/appearance/profile_fields/list.php       |  3 +-
 views/default/admin/header.php                     |  2 ++
 views/default/icon/default.php                     |  1 +
 views/default/icon/user/default.php                |  1 +
 views/default/navigation/breadcrumbs.php           |  1 +
 views/default/navigation/menu/user_hover.php       |  1 +
 views/default/navigation/pagination.php            |  2 ++
 views/default/navigation/tabs.php                  |  6 +++-
 views/default/object/admin_notice.php              |  3 +-
 views/default/object/default.php                   |  1 +
 views/default/object/elements/summary.php          |  1 +
 views/default/object/plugin/advanced.php           | 33 +++++++++++++---------
 views/default/object/plugin/simple.php             |  3 +-
 views/default/object/widget/elements/controls.php  |  1 +
 views/default/output/tag.php                       |  6 +++-
 views/default/output/url.php                       | 15 ++++++++--
 views/default/page/elements/footer.php             |  1 +
 views/default/page/elements/tagcloud_block.php     |  1 +
 views/default/page/layouts/widgets/add_button.php  |  1 +
 views/default/river/elements/body.php              |  2 ++
 views/default/river/elements/responses.php         |  1 +
 views/default/river/elements/summary.php           |  3 ++
 .../river/user/default/profileiconupdate.php       |  1 +
 views/default/river/user/default/profileupdate.php |  1 +
 views/default/widgets/content_stats/content.php    |  1 +
 26 files changed, 72 insertions(+), 21 deletions(-)

(limited to 'views/default')

diff --git a/views/default/admin/appearance/default_widgets.php b/views/default/admin/appearance/default_widgets.php
index 4416dc8f6..1bf5791ac 100644
--- a/views/default/admin/appearance/default_widgets.php
+++ b/views/default/admin/appearance/default_widgets.php
@@ -17,6 +17,7 @@ if ($object) {
 		'text' => elgg_echo('upgrade'),
 		'href' => 'action/widgets/upgrade',
 		'is_action' => true,
+		'is_trusted' => true,
 		'class' => 'elgg_button elgg-button-submit',
 		'title' => 'Upgrade your default widgets to work on Elgg 1.8',
 	));
diff --git a/views/default/admin/appearance/profile_fields/list.php b/views/default/admin/appearance/profile_fields/list.php
index 6e79838ea..f4ff1e986 100644
--- a/views/default/admin/appearance/profile_fields/list.php
+++ b/views/default/admin/appearance/profile_fields/list.php
@@ -39,8 +39,9 @@ foreach ($items as $item) {
 	//$even_odd = ( 'odd' != $even_odd ) ? 'odd' : 'even';
 	$url = elgg_view('output/url', array(
 		'href' => "action/profile/fields/delete?id={$item->shortname}",
-		'is_action' => TRUE,
 		'text' => elgg_view_icon('delete-alt'),
+		'is_action' => true,
+		'is_trusted' => true,
 	));
 	$type = elgg_echo($item->type);
 	echo <<<HTML
diff --git a/views/default/admin/header.php b/views/default/admin/header.php
index 3919c017e..331190a88 100644
--- a/views/default/admin/header.php
+++ b/views/default/admin/header.php
@@ -7,10 +7,12 @@ $admin_title = elgg_get_site_entity()->name . ' ' . elgg_echo('admin');
 $view_site = elgg_view('output/url', array(
 	'href' => elgg_get_site_url(),
 	'text' => elgg_echo('admin:view_site'),
+	'is_trusted' => true,
 ));
 $logout = elgg_view('output/url', array(
 	'href' => 'action/logout',
 	'text' => elgg_echo('logout'),
+	'is_trusted' => true,
 ));
 ?>
 <h1 class="elgg-heading-site">
diff --git a/views/default/icon/default.php b/views/default/icon/default.php
index 3abd96b96..533b92c43 100644
--- a/views/default/icon/default.php
+++ b/views/default/icon/default.php
@@ -39,6 +39,7 @@ if ($url) {
 	echo elgg_view('output/url', array(
 		'href' => $url,
 		'text' => $img,
+		'is_trusted' => true,
 	));
 } else {
 	echo $img;
diff --git a/views/default/icon/user/default.php b/views/default/icon/user/default.php
index aca03521f..0eb3691bd 100644
--- a/views/default/icon/user/default.php
+++ b/views/default/icon/user/default.php
@@ -66,6 +66,7 @@ if ($show_menu) {
 echo elgg_view('output/url', array(
 	'href' => $user->getURL(),
 	'text' => $icon,
+	'is_trusted' => true,
 ));
 ?>
 </div>
diff --git a/views/default/navigation/breadcrumbs.php b/views/default/navigation/breadcrumbs.php
index bad73c4b3..88577a8ff 100644
--- a/views/default/navigation/breadcrumbs.php
+++ b/views/default/navigation/breadcrumbs.php
@@ -30,6 +30,7 @@ if (is_array($breadcrumbs) && count($breadcrumbs) > 0) {
 			$crumb = elgg_view('output/url', array(
 				'href' => $breadcrumb['link'],
 				'text' => $breadcrumb['title'],
+				'is_trusted' => true,
 			));
 		} else {
 			$crumb = $breadcrumb['title'];
diff --git a/views/default/navigation/menu/user_hover.php b/views/default/navigation/menu/user_hover.php
index e32e5ab57..5c89e585c 100644
--- a/views/default/navigation/menu/user_hover.php
+++ b/views/default/navigation/menu/user_hover.php
@@ -19,6 +19,7 @@ echo '<ul class="elgg-menu elgg-menu-hover">';
 $name_link = elgg_view('output/url', array(
 	'href' => $user->getURL(),
 	'text' => "<span class=\"elgg-heading-basic\">$user->name</span>&#64;$user->username",
+	'is_trusted' => true,
 ));
 echo "<li>$name_link</li>";
 
diff --git a/views/default/navigation/pagination.php b/views/default/navigation/pagination.php
index c0cb801dd..4df5cf575 100644
--- a/views/default/navigation/pagination.php
+++ b/views/default/navigation/pagination.php
@@ -42,10 +42,12 @@ $pages = new stdClass();
 $pages->prev = array(
 	'text' => '&laquo; ' . elgg_echo('previous'),
 	'href' => '',
+	'is_trusted' => true,
 );
 $pages->next = array(
 	'text' => elgg_echo('next') . ' &raquo;',
 	'href' => '',
+	'is_trusted' => true,
 );
 $pages->items = array();
 
diff --git a/views/default/navigation/tabs.php b/views/default/navigation/tabs.php
index 0108126ad..e8fde3579 100644
--- a/views/default/navigation/tabs.php
+++ b/views/default/navigation/tabs.php
@@ -47,7 +47,7 @@ if (isset($vars['tabs']) && is_array($vars['tabs']) && !empty($vars['tabs'])) {
 		$options = array(
 			'href' => $url,
 			'title' => $title,
-			'text' => $title
+			'text' => $title,
 		);
 
 		if (isset($info['url_class'])) {
@@ -58,6 +58,10 @@ if (isset($vars['tabs']) && is_array($vars['tabs']) && !empty($vars['tabs'])) {
 			$options['id'] = $info['url_id'];
 		}
 
+		if (!isset($info['rel']) && !isset($info['is_trusted'])) {
+			$options['is_trusted'] = true;
+		}
+
 		$link = elgg_view('output/url', $options);
 
 		echo "<li $class_str $js>$link</li>";
diff --git a/views/default/object/admin_notice.php b/views/default/object/admin_notice.php
index 086eddb1f..11524567e 100644
--- a/views/default/object/admin_notice.php
+++ b/views/default/object/admin_notice.php
@@ -11,7 +11,8 @@ if (isset($vars['entity']) && elgg_instanceof($vars['entity'], 'object', 'admin_
 		'href' => "action/admin/delete_admin_notice?guid=$notice->guid",
 		'text' => '<span class="elgg-icon elgg-icon-delete"></span>',
 		'is_action' => true,
-		'class' => 'elgg-admin-notice'
+		'class' => 'elgg-admin-notice',
+		'is_trusted' => true,
 	));
 
 	echo "<p>$delete$message</p>";
diff --git a/views/default/object/default.php b/views/default/object/default.php
index a50f19387..a9c3e15ca 100644
--- a/views/default/object/default.php
+++ b/views/default/object/default.php
@@ -28,6 +28,7 @@ if ($owner) {
 	$owner_link = elgg_view('output/url', array(
 		'href' => $owner->getURL(),
 		'text' => $owner->name,
+		'is_trusted' => true,
 	));
 }
 
diff --git a/views/default/object/elements/summary.php b/views/default/object/elements/summary.php
index 10cf0b148..3ca4de2be 100644
--- a/views/default/object/elements/summary.php
+++ b/views/default/object/elements/summary.php
@@ -29,6 +29,7 @@ if ($title_link === '') {
 	$params = array(
 		'text' => $text,
 		'href' => $entity->getURL(),
+		'is_trusted' => true,
 	);
 	$title_link = elgg_view('output/url', $params);
 }
diff --git a/views/default/object/plugin/advanced.php b/views/default/object/plugin/advanced.php
index 1fabaff04..db4e4dbcc 100644
--- a/views/default/object/plugin/advanced.php
+++ b/views/default/object/plugin/advanced.php
@@ -40,9 +40,10 @@ if ($reordering) {
 		));
 
 		$links .= "<li>" . elgg_view('output/url', array(
-			'href' 		=> $top_url,
-			'text'		=> elgg_echo('top'),
-			'is_action'	=> true
+			'href' => $top_url,
+			'text' => elgg_echo('top'),
+			'is_action' => true,
+			'is_trusted' => true,
 		)) . "</li>";
 
 		$up_url = elgg_http_add_url_query_elements($actions_base . 'set_priority', array(
@@ -52,9 +53,10 @@ if ($reordering) {
 		));
 
 		$links .= "<li>" . elgg_view('output/url', array(
-			'href' 		=> $up_url,
-			'text'		=> elgg_echo('up'),
-			'is_action'	=> true
+			'href' => $up_url,
+			'text' => elgg_echo('up'),
+			'is_action' => true,
+			'is_trusted' => true,
 		)) . "</li>";
 	}
 
@@ -67,9 +69,10 @@ if ($reordering) {
 		));
 
 		$links .= "<li>" . elgg_view('output/url', array(
-			'href' 		=> $down_url,
-			'text'		=> elgg_echo('down'),
-			'is_action'	=> true
+			'href' => $down_url,
+			'text' => elgg_echo('down'),
+			'is_action'	=> true,
+			'is_trusted' => true,
 		)) . "</li>";
 
 		$bottom_url = elgg_http_add_url_query_elements($actions_base . 'set_priority', array(
@@ -81,7 +84,8 @@ if ($reordering) {
 		$links .= "<li>" . elgg_view('output/url', array(
 			'href' 		=> $bottom_url,
 			'text'		=> elgg_echo('bottom'),
-			'is_action'	=> true
+			'is_action'	=> true,
+			'is_trusted' => true,
 		)) . "</li>";
 	}
 } else {
@@ -93,7 +97,8 @@ if ($reordering) {
 
 // always let them deactivate
 $options = array(
-	'is_action' => true
+	'is_action' => true,
+	'is_trusted' => true,
 );
 if ($active) {
 	$active_class = 'elgg-state-active';
@@ -163,7 +168,8 @@ $author = '<span>' . elgg_echo('admin:plugins:label:author') . '</span>: '
 $version = htmlspecialchars($plugin->getManifest()->getVersion());
 $website = elgg_view('output/url', array(
 	'href' => $plugin->getManifest()->getWebsite(),
-	'text' => $plugin->getManifest()->getWebsite()
+	'text' => $plugin->getManifest()->getWebsite(),
+	'is_trusted' => true,
 ));
 
 $copyright = elgg_view('output/text', array('value' => $plugin->getManifest()->getCopyright()));
@@ -179,7 +185,8 @@ if ($files) {
 		$url = 'admin_plugin_text_file/' . $plugin->getID() . "/$file";
 		$link = elgg_view('output/url', array(
 			'text' => $file,
-			'href' => $url
+			'href' => $url,
+			'is_trusted' => true,
 		));
 		$docs .= "<li>$link</li>";
 
diff --git a/views/default/object/plugin/simple.php b/views/default/object/plugin/simple.php
index f4cc944f4..4d392e71a 100644
--- a/views/default/object/plugin/simple.php
+++ b/views/default/object/plugin/simple.php
@@ -49,7 +49,8 @@ foreach ($files as $file => $path) {
 	$url = 'admin_plugin_text_file/' . $plugin->getID() . "/$file";
 	$link = elgg_view('output/url', array(
 		'text' => $file,
-		'href' => $url
+		'href' => $url,
+		'is_trusted' => true,
 	));
 	$plugin_footer .= "<li>$link</li>";
 
diff --git a/views/default/object/widget/elements/controls.php b/views/default/object/widget/elements/controls.php
index abf2154fc..6d06d28bc 100644
--- a/views/default/object/widget/elements/controls.php
+++ b/views/default/object/widget/elements/controls.php
@@ -24,6 +24,7 @@ if ($widget->canEdit()) {
 		'title' => elgg_echo('widget:delete', array($widget->getTitle())),
 		'href' => "action/widgets/delete?guid=$widget->guid",
 		'is_action' => true,
+		'is_trusted' => true,
 		'class' => 'elgg-widget-delete-button',
 		'id' => "elgg-widget-delete-button-$widget->guid"
 	);
diff --git a/views/default/output/tag.php b/views/default/output/tag.php
index abae9c4b2..3c002a31b 100644
--- a/views/default/output/tag.php
+++ b/views/default/output/tag.php
@@ -26,5 +26,9 @@ if (isset($vars['value'])) {
 		$type = "";
 	}
 	$url = elgg_get_site_url() . 'search?q=' . urlencode($vars['value']) . "&search_type=tags{$type}{$subtype}{$object}";
-	echo elgg_view('output/url', array('href' => $url, 'text' => $vars['value'], 'rel' => 'tag'));
+	echo elgg_view('output/url', array(
+		'href' => $url,
+		'text' => $vars['value'],
+		'rel' => 'tag',
+	));
 }
diff --git a/views/default/output/url.php b/views/default/output/url.php
index 79ab52377..81b02087d 100644
--- a/views/default/output/url.php
+++ b/views/default/output/url.php
@@ -10,7 +10,7 @@
  * @uses string $vars['href']        The unencoded url string
  * @uses bool   $vars['encode_text'] Run $vars['text'] through htmlspecialchars() (false)
  * @uses bool   $vars['is_action']   Is this a link to an action (false)
- *
+ * @uses bool   $vars['is_trusted']  Is this link trusted (false)
  */
 
 $url = elgg_extract('href', $vars, null);
@@ -37,11 +37,20 @@ if ($url) {
 
 	if (elgg_extract('is_action', $vars, false)) {
 		$url = elgg_add_action_tokens_to_url($url, false);
-		unset($vars['is_action']);
+	}
+
+	if (!elgg_extract('is_trusted', $vars, false)) {
+		if (!isset($vars['rel'])) {
+			$vars['rel'] = 'nofollow';
+			$url = strip_tags($url);
+		}
 	}
 
 	$vars['href'] = $url;
 }
 
+unset($vars['is_action']);
+unset($vars['is_trusted']);
+
 $attributes = elgg_format_attributes($vars);
-echo "<a $attributes>$text</a>";
\ No newline at end of file
+echo "<a $attributes>$text</a>";
diff --git a/views/default/page/elements/footer.php b/views/default/page/elements/footer.php
index 06fdb84a5..596d17bd3 100644
--- a/views/default/page/elements/footer.php
+++ b/views/default/page/elements/footer.php
@@ -17,5 +17,6 @@ echo elgg_view('output/url', array(
 	'href' => 'http://elgg.org',
 	'text' => "<img src=\"$powered_url\" alt=\"Powered by Elgg\" width=\"106\" height=\"15\" />",
 	'class' => '',
+	'is_trusted' => true,
 ));
 echo '</div>';
diff --git a/views/default/page/elements/tagcloud_block.php b/views/default/page/elements/tagcloud_block.php
index 8b67c9e37..258951c41 100644
--- a/views/default/page/elements/tagcloud_block.php
+++ b/views/default/page/elements/tagcloud_block.php
@@ -50,6 +50,7 @@ $cloud .= elgg_view_icon('tag');
 $cloud .= elgg_view('output/url', array(
 	'href' => 'tags',
 	'text' => elgg_echo('tagcloud:allsitetags'),
+	'is_trusted' => true,
 ));
 $cloud .= '</p>';
 
diff --git a/views/default/page/layouts/widgets/add_button.php b/views/default/page/layouts/widgets/add_button.php
index 89e83b096..c33a45f99 100644
--- a/views/default/page/layouts/widgets/add_button.php
+++ b/views/default/page/layouts/widgets/add_button.php
@@ -10,6 +10,7 @@
 		'text' => elgg_echo('widgets:add'),
 		'class' => 'elgg-button elgg-button-action',
 		'rel' => 'toggle',
+		'is_trusted' => true,
 	));
 ?>
 </div>
diff --git a/views/default/river/elements/body.php b/views/default/river/elements/body.php
index c5a525733..6894b81e2 100644
--- a/views/default/river/elements/body.php
+++ b/views/default/river/elements/body.php
@@ -27,6 +27,7 @@ if ($summary === false) {
 		'href' => $subject->getURL(),
 		'text' => $subject->name,
 		'class' => 'elgg-river-subject',
+		'is_trusted' => true,
 	));
 }
 
@@ -52,6 +53,7 @@ if ($container instanceof ElggGroup && $container->guid != elgg_get_page_owner_g
 	$group_link = elgg_view('output/url', array(
 		'href' => $container->getURL(),
 		'text' => $container->name,
+		'is_trusted' => true,
 	));
 	$group_string = elgg_echo('river:ingroup', array($group_link));
 }
diff --git a/views/default/river/elements/responses.php b/views/default/river/elements/responses.php
index 8c5be6316..f6c32e142 100644
--- a/views/default/river/elements/responses.php
+++ b/views/default/river/elements/responses.php
@@ -50,6 +50,7 @@ if ($comments) {
 		$params = array(
 			'href' => $url,
 			'text' => elgg_echo('river:comments:more', array($num_more_comments)),
+			'is_trusted' => true,
 		);
 		$link = elgg_view('output/url', $params);
 		echo "<div class=\"elgg-river-more\">$link</div>";
diff --git a/views/default/river/elements/summary.php b/views/default/river/elements/summary.php
index 4d80c29a6..84941131f 100644
--- a/views/default/river/elements/summary.php
+++ b/views/default/river/elements/summary.php
@@ -15,12 +15,14 @@ $subject_link = elgg_view('output/url', array(
 	'href' => $subject->getURL(),
 	'text' => $subject->name,
 	'class' => 'elgg-river-subject',
+	'is_trusted' => true,
 ));
 
 $object_link = elgg_view('output/url', array(
 	'href' => $object->getURL(),
 	'text' => $object->title ? $object->title : $object->name,
 	'class' => 'elgg-river-object',
+	'is_trusted' => true,
 ));
 
 $action = $item->action_type;
@@ -32,6 +34,7 @@ if ($container instanceof ElggGroup) {
 	$params = array(
 		'href' => $container->getURL(),
 		'text' => $container->name,
+		'is_trusted' => true,
 	);
 	$group_link = elgg_view('output/url', $params);
 	$group_string = elgg_echo('river:ingroup', array($group_link));
diff --git a/views/default/river/user/default/profileiconupdate.php b/views/default/river/user/default/profileiconupdate.php
index c7f691533..5c96747bd 100644
--- a/views/default/river/user/default/profileiconupdate.php
+++ b/views/default/river/user/default/profileiconupdate.php
@@ -10,6 +10,7 @@ $subject_link = elgg_view('output/url', array(
 	'href' => $subject->getURL(),
 	'text' => $subject->name,
 	'class' => 'elgg-river-subject',
+	'is_trusted' => true,
 ));
 
 $string = elgg_echo('river:update:user:avatar', array($subject_link));
diff --git a/views/default/river/user/default/profileupdate.php b/views/default/river/user/default/profileupdate.php
index a344131d6..69b69b106 100644
--- a/views/default/river/user/default/profileupdate.php
+++ b/views/default/river/user/default/profileupdate.php
@@ -9,6 +9,7 @@ $subject_link = elgg_view('output/url', array(
 	'href' => $subject->getURL(),
 	'text' => $subject->name,
 	'class' => 'elgg-river-subject',
+	'is_trusted' => true,
 ));
 
 $string = elgg_echo('river:update:user:profile', array($subject_link));
diff --git a/views/default/widgets/content_stats/content.php b/views/default/widgets/content_stats/content.php
index 6a652166c..56772047d 100644
--- a/views/default/widgets/content_stats/content.php
+++ b/views/default/widgets/content_stats/content.php
@@ -23,5 +23,6 @@ echo '<div class="mtm">';
 echo elgg_view('output/url', array(
 	'href' => 'admin/statistics/overview',
 	'text' => elgg_echo('more'),
+	'is_trusted' => true,
 ));
 echo '</div>';
-- 
cgit v1.2.3