Don't allow URLs in collection descriptions

RESOLVED FIXED

Status

addons.mozilla.org Graveyard
Collections
P1
enhancement
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: jorgev, Assigned: vinyll)

Tracking

Details

(Whiteboard: [contribute][spampocalypse])

(Reporter)

Description

4 years ago
We're getting a ton of collection spam, most of which are empty collections with URLs in the description. Now allowing descriptions with URLs might discourage spammers from doing this.
I think we can disable links without disabling all HTML.  Pretty sure it's just a flag in the code.  There are probably good examples.
Severity: normal → enhancement
Priority: -- → P3
Whiteboard: [contribute]
(Reporter)

Updated

4 years ago
Whiteboard: [contribute] → [contribute][spampocalypse]
(Reporter)

Comment 2

4 years ago
Spam is becoming a major problem and time sink for us (me, particularly), so I'm making this a P1.
Priority: P3 → P1

Comment 3

4 years ago
I took a stab at this bug: https://github.com/mozilla/zamboni/pull/1665.

Comment 4

4 years ago
What HTML are we actually allowing in the description field? I have tried some common ones but it doesn't seem to get rendered.
(Reporter)

Comment 5

4 years ago
If it uses the same options as the add-on description field, it would support things like <b>, <code>, <ul>, and <ol>. It might be that it only allows text and automatically linkifies things it recognizes as URLs.

Comment 6

4 years ago
Yeah from what I can tell I think it is the latter (only allowing text but linkifies URLs). In this case would the best course of action be to just disable the linkifying or should we have the field support other HTML tags (but not links)?
(Reporter)

Comment 7

4 years ago
It should be text only. We should definitely remove the linkifying and I would go even further and just remove any URLs from the text. Having text URLs might still motivate spammers.
Just a thought: if the aim is to discourage spammers, shouldn't we just prevent collections from being posted if they contain urls (with markup, or just text URLs)?

We could have a form validation, and if there's an URL, display an error message warning that they're not allowed.

This way, automated spam won't work at all, and real humans trying to create a collection will be warned and have a chance to correct the description.

I believe we could keep simple markup though, as for the add-on description field.

Thoughts?
(In reply to mathieu from comment #8)
> Just a thought: if the aim is to discourage spammers, shouldn't we just
> prevent collections from being posted if they contain urls (with markup, or
> just text URLs)?

I think so. If I'm understanding correct, I think that's what Jorge's saying in comment 7.
(Reporter)

Comment 10

4 years ago
My suggestion was to strip URLs from descriptions, but preventing their creation is also a good solution.

Just make sure that the auto-linkification code is also removed, since there are many spam collections still present on the site.
(Assignee)

Updated

4 years ago
Assignee: nobody → vagnano
I'm implementing a way to forbid creating collections with links: trying to submit a collection with a link in its edit form's description will raise a form validation error, asking the user to modify the input.

Even if, for some reason, the link and markup can make their way to the database, before being stored, the markup will be escaped, and the links removed.

So no new collection will have links, and markup will be escaped.

However, how should we deal with existing collections with links in their description? I could simply strip the links when displaying the description, but that would be the case for everybody, not only spammers. If you had a perfectly valid description before the patch, it will be displayed stripped out of its links (URLs and text links).

Here's an example of what I mean:

Before: 'This is my favorite collection from <a href="http://example.com">my best friend</a>.'
After:  'This is my favorite collection from .'
Can't we strip tags?  Turning it into "This is my favorite collection from my best friend."
That would still leave us with the issue when the inner text is itself a link (Jorge asked to remove all kind of links, with or without markup).

So that would change '<a href="http://example.com">http://example.com</a>' into 'http://example.com'
(Reporter)

Comment 14

4 years ago
(In reply to mathieu from comment #13)
> So that would change '<a href="http://example.com">http://example.com</a>'
> into 'http://example.com'

That's fine with me as long as it isn't shown as a link. The ones that are spam we can delete later.
fixed in https://github.com/magopian/zamboni/commit/2aabf985779fb4d415697cbab4af8bbbc98cc6fd
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.