Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Social Link block: Obfuscate email address #57384

Merged
merged 1 commit into from
Dec 27, 2023
Merged

Social Link block: Obfuscate email address #57384

merged 1 commit into from
Dec 27, 2023

Conversation

ockham
Copy link
Contributor

@ockham ockham commented Dec 26, 2023
edited
Loading

What?

Obfuscate the email address in the "Mail" variation of the Social Icon block. See #21876 (comment).

Fixes #21876.

Why?

To make it harder for spambots to harvest email addresses.

How?

By using Core's antispambot() function.

Testing Instructions

  • Insert a "Social Links" block into a new post, and add a "Mail" child block to it.
  • Set an email address for that block.
  • View the post on the frontend, and check its page source (not just the element inspector!).
  • Verify that the email address is obfuscated (using HTML entities). Verify that the email address still works (e.g. by clicking on it).

For example, mailto:user@example.com becomes

mailto:user@example.com

Screenshots or screencast

image image

Question

antispambot() has a second argument, $hex_encoding, to enable hex encoding (of entities). Should we use that?

FWIW, this is what mailto:user@example.com becomes with $hex_encoding === 1:

mailto:user@exa%6dple%2ecom

@ockham ockham added [Feature] Blocks Overall functionality of blocks [Block] Social Affects the Social Block - used to display Social Media accounts [Type] Feature New feature to highlight in changelogs. labels Dec 26, 2023
@ockham ockham requested a review from Mamaduka December 26, 2023 16:15
@ockham ockham self-assigned this Dec 26, 2023
@ockham ockham requested a review from ajitbohra as a code owner December 26, 2023 16:15
@ockham
Copy link
Contributor Author

ockham commented Dec 26, 2023

FYI @mrwweb

@ockham
Copy link
Contributor Author

ockham commented Dec 26, 2023

cc/ @sirreal if you happen to be around for a review tomorrow 😊 (Could be a candidate for inclusion in GB 17.4.0, for which the RC1 is scheduled to be published tomorrow. cc/ @bph )

Mamaduka
Mamaduka approved these changes Dec 26, 2023
View reviewed changes
Copy link
Member

@Mamaduka Mamaduka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @ockham!

The changes look good to me.

I wonder if we should make this optional, but I guess we can do that later if there's a request for it.

@ockham
Copy link
Contributor Author

ockham commented Dec 26, 2023

I just noticed that we might have to change the escaping from esc_url() to esc_attr() if we're dealing with an email:

gutenberg/packages/block-library/src/social-link/index.php

Line 56 in 6d4440a

$link .= '<a href="' . esc_url( $url ) . '" class="wp-block-social-link-anchor">';

see https://developer.wordpress.org/reference/functions/antispambot/#comment-2779:

Escaping URL in href attribute will add http:// before email address. In lack of better option, it’s more appropriate to use esc_attr() instead.

(unless esc_url() has been changed since? Need to check.)

@ockham
Copy link
Contributor Author

ockham commented Dec 26, 2023

Ah, disregard my previous comment.

See https://github.com/WordPress/wordpress-develop/blob/0e284447951869fd3ff58b345ec070b0ab97d9bc/src/wp-includes/default-filters.php#L302 and https://github.com/WordPress/wordpress-develop/blob/0e284447951869fd3ff58b345ec070b0ab97d9bc/src/wp-admin/includes/class-wp-comments-list-table.php#L997-L1000. (esc_url() is used to escape 'mailto:' . $email, after $email has been run through antispambot().)

sirreal
sirreal approved these changes Dec 27, 2023
View reviewed changes
Copy link
Member

@sirreal sirreal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and working as expected 👍

@sirreal sirreal merged commit d33e9d2 into trunk Dec 27, 2023
61 checks passed
@sirreal sirreal deleted the update/social-link-block-obfuscate-email branch December 27, 2023 07:50
@github-actions github-actions bot added this to the Gutenberg 17.4 milestone Dec 27, 2023
@bph bph added [Type] Enhancement A suggestion for improvement. and removed [Type] Feature New feature to highlight in changelogs. labels Dec 27, 2023
@Mamaduka Mamaduka mentioned this pull request May 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mamaduka Mamaduka Mamaduka approved these changes

@sirreal sirreal sirreal approved these changes

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

Assignees

@ockham ockham

Labels
[Block] Social Affects the Social Block - used to display Social Media accounts [Feature] Blocks Overall functionality of blocks [Type] Enhancement A suggestion for improvement.
Projects
None yet
Milestone
Gutenberg 17.4
Development

Successfully merging this pull request may close these issues.

Improve Email Social Icon with automatic "mailto:" and obfuscation
4 participants
@ockham @Mamaduka @sirreal @bph