Hidden Links now highlighted
-
We've noticed in the past week that fairly innocuous looking posts are coming in from brand-new users containing spam links with no anchor text. They're caught by the post queue but at face value, they could be accepted by a moderator as the link themselves were hidden from view.
It was only once you inspected the raw post content that the hidden link was revealed (e.g.
innocuous text [](//malicious.org).To combat this, NodeBB will now explicitly expose hidden links so that they can be easily seen and caught.
If you are viewing this post from outside of NodeBB, you might not see anything! That means your software might be vulnerable to this kind of spam backlink injection. Best case, your software detects the empty link text and removes it completely. Worst case, you're allowing them in unknowingly.
Last thing, it's possible this has been around for ages and I only just noticed (thanks also to @pitaj for pointing out the hidden links from an earlier post!) If you browse around the forum and see some of these hidden links scattered around some posts, flag it immediately so we can take a look.
Thank you!
-
@julian hopefully it's the latter cause I don't see a thing. Mastodon is probably just removing it, I hope.
-
Tom Casavantreplied to BeAware :fediverse: on last edited by
Glitch-soc lets you see the hidden links, so it doesn't look like mastodon is removing it
-
@[email protected] I just checked, Mastodon faithfully renders the link. However it does do basic mitigation like adding
nofollow noopener noreferrertorel, which means search engines shouldn't assign them any credit. -
BeAware :fediverse:replied to Tom Casavant on last edited by
-
Blake Leonardreplied to julian on last edited by [email protected]
@julian Iceshrimp classic shows the link as
https://community.nodebb.org//community.nodebb.org(and links to that) and assigns it "nofollow noopener". I think the page doesn't render unless you use JavaScript anyway so it shouldn't affect search rankings?
