[aur-dev] [PATCH] Make external links in comments clickable (FS#20137).

Lukas Fleischer archlinux at cryptocrack.de
Thu Sep 30 12:38:28 EDT 2010

On Thu, Sep 30, 2010 at 06:18:24PM +0200, PyroPeter wrote:
> >+  $url = str_replace('&','&', $url);
> >+  $url = str_replace('&', '&', $url);
> What about the occurrences of "&(html-entity-code-here);" you
> produced the line before?

Nothing? Any occurrence of an HTML entity code is correctly encoded as
"&". People shouldn't be able to manually insert HTML entities in
comments. The first line is actually even superfluous as I realized just
now since ampersands should already have been replaced by
htmlspecialchars() before at the time this line is executed (didn't
check that before, this part of code has been extracted from the
DokuWiki plugin).

> >+  $patterns[] = '(\b(?i)www?(?-i)\.[' . $host . ']+?\.[' . $host . ']+?[' . $any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
> >+  $patterns[] = '(\b(?i)ftp?(?-i)\.['. $host . ']+?\.[' . $host . ']+?[' . $any . ']+?(?=[' . $punc . ']*[^' . $any . ']))';
> I am not that experienced with PHP, but this looks like the $patterns
> array got replaced instead of extended.

Nope, it doesn't. Check [1].

> >+  $comment = htmlspecialchars($comment);
> Won't this render the next instruction useless if there are
> html-characters in a link?

Nope. Links need to be escaped as well. Not sure what happens if a link
contains quotes or "<"/">". This shouldn't happen too often tho.

> Generally I would not make hostnames ("www.foo.tld") clickable.
> If people are not able to provide proper URL's, they have a serious
> problem. (there is also the technical argument that the hostname is not
> a good indicator for the kind of service the host provides.)

Why not? What if you explicitly want to link to a project's home page?
It'll also just convert hostnames if they start with a "www" or "ftp"
subdomain, so comments refering to domains in other ways won't be


More information about the aur-dev mailing list