[uf-discuss] How to avoid building erroneous social network
mail at ciaranmcnulty.com
Thu Mar 27 02:20:58 PST 2008
On Thu, Mar 27, 2008 at 9:59 AM, Dan Brickley <danbri at danbri.org> wrote:
> On 27 Mar 2008, at 07:34, Ciaran McNulty wrote:
> > The simplest way to stop it is to add @rel="nofollow" to any comment
> > links - this has the effect of negating any XFN values in the links,
> > as well as preventing linkspamming and all sort of other good stuff.
> Where is this interaction specified? Should a compliant XFN parser not
> emit any data from elements where it finds rel=nofollow? Does that
> extend to all Microformats.org ('big M') microformats?
It's specified here:
Actually it looks like it only applies to @rel="me" from the looks of
things - I'm not aware of any other uFs that interact with nofollow.
> > As others have said, this is a publishing issue rather than a parsing
> > issue. A page that is linked to with @rel="me", and then allows
> > outbound XFN values authored by people who are not the representative,
> > is broken.
> Presumably they could *author* the links, but they just have to bear
> in mind that (if the claims in the page are ever to be true) those
> links describe the person who is the 'primary topic' (or 'owner') of
> the page.
Agreed - in that case it becomes an issue of trust as to who you allow
to author that sort of content.
Any commenting/posting system for 'untrusted' users should be
considering how to filter user input anyhow - if you're allowing
completely rich HTML editing for third parties you have to accept that
they'll do 'bad stuff' sometimes - posting huge images, CSS to blank
the page, embedded malicious OBJECTs and so on.
I've found the only way to guard against markup abuse that you've not
thought of is to have a whitelist-based approach to what content you
allow users to author, i.e. a set list of tags/attributes that are
acceptable. Blacklisting known abuse routes has always ended up as an
exercise in firefighting, in my experience.
More information about the microformats-discuss