From 75b05f54c1378270dbcf2035278cf6aefd0aea88 Mon Sep 17 00:00:00 2001
From: muratclk <muratclk@users.noreply.github.com>
Date: Thu, 9 Apr 2026 03:43:06 +0300
Subject: [PATCH] feat: add rel=nofollow to external links on website

Add rel="nofollow" to external-facing links to discourage search engine
crawlers from promoting potentially malicious pages linked from
vulnerability references.

Changes:
- vulnerability.html: Add nofollow to all data-driven links (source
  links, references, CVSS calculators, commit links, package links,
  credit contacts)
- home.html: Add nofollow to third-party repository links
- linter/index.html: Add nofollow to external tool link
- blog: Add Hugo render hook to automatically apply nofollow to
  external links in blog post content

Trusted domains (deps.dev, google.github.io, ossf.github.io,
github.com/google/*, security.googleblog.com, osv.dev) are allowlisted
and do not receive nofollow.

Fixes #4644
---
 .../layouts/_default/_markup/render-link.html | 22 +++++++++++++++++
 gcp/website/frontend3/src/templates/home.html |  8 +++----
 .../frontend3/src/templates/linter/index.html |  2 +-
 .../src/templates/vulnerability.html          | 24 +++++++++----------
 4 files changed, 39 insertions(+), 17 deletions(-)
 create mode 100644 gcp/website/blog/layouts/_default/_markup/render-link.html

diff --git a/gcp/website/blog/layouts/_default/_markup/render-link.html b/gcp/website/blog/layouts/_default/_markup/render-link.html
new file mode 100644
index 00000000000..be680a6dee2
--- /dev/null
+++ b/gcp/website/blog/layouts/_default/_markup/render-link.html
@@ -0,0 +1,22 @@
+{{- $url := .Destination -}}
+{{- $isExternal := or (hasPrefix $url "http://") (hasPrefix $url "https://") -}}
+{{- $isTrusted := false -}}
+{{- if $isExternal -}}
+  {{- $isTrusted = or
+    (hasPrefix $url "https://google.github.io/")
+    (hasPrefix $url "https://ossf.github.io/")
+    (hasPrefix $url "https://deps.dev/")
+    (hasPrefix $url "https://security.googleblog.com/")
+    (hasPrefix $url "https://github.com/google/")
+    (hasPrefix $url "https://osv.dev/")
+    (hasPrefix $url "https://api.osv.dev/")
+  -}}
+{{- end -}}
+<a href="{{ .Destination | safeURL }}"
+  {{- with .Title }} title="{{ . }}"{{ end -}}
+  {{- if $isExternal }} target="_blank"
+    {{- if $isTrusted }} rel="noopener noreferrer"
+    {{- else }} rel="nofollow noopener noreferrer"
+    {{- end -}}
+  {{- end -}}
+>{{ .Text | safeHTML }}</a>
diff --git a/gcp/website/frontend3/src/templates/home.html b/gcp/website/frontend3/src/templates/home.html
index 062a85564e9..85e0b588d8a 100644
--- a/gcp/website/frontend3/src/templates/home.html
+++ b/gcp/website/frontend3/src/templates/home.html
@@ -139,10 +139,10 @@ <h2 class="heading">Data sources</h2>
       <p class="description">
         This infrastructure serves as an aggregator of vulnerability databases
         that have adopted the <a href="https://ossf.github.io/osv-schema/">OSV schema</a>, including
-        <a href="https://github.com/github/advisory-database">GitHub Security Advisories</a>,
-        <a href="https://github.com/pypa/advisory-database">PyPA</a>,
-        <a href="https://github.com/RustSec/advisory-db">RustSec</a>, and
-        <a href="https://github.com/cloudsecurityalliance/gsd-database">Global Security Database</a>, and
+        <a href="https://github.com/github/advisory-database" rel="nofollow">GitHub Security Advisories</a>,
+        <a href="https://github.com/pypa/advisory-database" rel="nofollow">PyPA</a>,
+        <a href="https://github.com/RustSec/advisory-db" rel="nofollow">RustSec</a>, and
+        <a href="https://github.com/cloudsecurityalliance/gsd-database" rel="nofollow">Global Security Database</a>, and
         more.
       </p>
       <div class="cta">
diff --git a/gcp/website/frontend3/src/templates/linter/index.html b/gcp/website/frontend3/src/templates/linter/index.html
index 903b89ef09b..da68812b2a1 100644
--- a/gcp/website/frontend3/src/templates/linter/index.html
+++ b/gcp/website/frontend3/src/templates/linter/index.html
@@ -25,7 +25,7 @@ <h1>Open Source Vulnerabilities</h1>
                 </div>
             </div>
             <div id="header-right">
-                <a class="improvement-link" href="https://github.com/ossf/osv-schema/tree/main/tools/osv-linter">Run OSV-Linter</a>
+                <a class="improvement-link" href="https://github.com/ossf/osv-schema/tree/main/tools/osv-linter" rel="nofollow">Run OSV-Linter</a>
             </div>
         </header>
         <main>
diff --git a/gcp/website/frontend3/src/templates/vulnerability.html b/gcp/website/frontend3/src/templates/vulnerability.html
index 3a37f434249..d1faee2eecb 100644
--- a/gcp/website/frontend3/src/templates/vulnerability.html
+++ b/gcp/website/frontend3/src/templates/vulnerability.html
@@ -14,7 +14,7 @@ <h1 class="title">
           {{ vulnerability.id }}
         </h1>
         {% if vulnerability.human_source_link and vulnerability.human_source_link.startswith("https://github.com/advisories/") -%}
-          <a class="vulnerability-improvement-link" href="{{ vulnerability.human_source_link }}/improve">
+          <a class="vulnerability-improvement-link" href="{{ vulnerability.human_source_link }}/improve" rel="nofollow">
             Suggest an improvement
           </a>
         {% elif vulnerability.human_source_link and not vulnerability.id.startswith("openSUSE-") -%}
@@ -23,7 +23,7 @@ <h1 class="title">
             See a problem?
           </a>
           <br/>
-          Please try reporting it <a href="{{ vulnerability.human_source_link}}" target="_blank" rel="noopener noreferrer">to the source</a> first.
+          Please try reporting it <a href="{{ vulnerability.human_source_link}}" target="_blank" rel="nofollow noopener noreferrer">to the source</a> first.
         </div>
         {% else -%}
           <a class="vulnerability-improvement-link" href="https://google.github.io/osv.dev/faq/#ive-found-something-wrong-with-the-data" target="_blank" rel="noopener noreferrer">
@@ -35,12 +35,12 @@ <h1 class="title">
         <dl class="vulnerability-details">
           {%- if vulnerability.human_source_link and not vulnerability.id.startswith("openSUSE-") -%}
           <dt>Source</dt>
-          <dd><a href="{{ vulnerability.human_source_link }}" target="_blank" rel="noopener noreferrer">{{
+          <dd><a href="{{ vulnerability.human_source_link }}" target="_blank" rel="nofollow noopener noreferrer">{{
               vulnerability.human_source_link }}</a>
           </dd>
           {%- endif -%}
           <dt>Import Source</dt>
-          <dd><a href="{{ vulnerability.source_link }}" target="_blank" rel="noopener noreferrer">{{
+          <dd><a href="{{ vulnerability.source_link }}" target="_blank" rel="nofollow noopener noreferrer">{{
               vulnerability.source }}</a></dd>
 
           <dt>JSON Data</dt>
@@ -107,7 +107,7 @@ <h1 class="title">
                 {% if item | is_cvss %}
                   <span class="severity-level severity-{{ item | severity_level }}">{{ item | display_severity_rating }}</span>
                   {{ item.type }} - {{ item.score }}
-                  <a href="{{ item | cvss_calculator_url }}" target="_blank" rel="noopener noreferrer">
+                  <a href="{{ item | cvss_calculator_url }}" target="_blank" rel="nofollow noopener noreferrer">
                     CVSS Calculator</a>
                 {% else %}
                   <span class="severity-level severity-invalid">{{ item.type }} - {{ item.score }}</span>
@@ -141,7 +141,7 @@ <h1 class="title">
           <dd>
             <ul class="links">
               {% for reference in vulnerability.references -%}
-              <li><a href="{{ reference.url }}" target="_blank" rel="noopener noreferrer">{{ reference.url }}</a></li>
+              <li><a href="{{ reference.url }}" target="_blank" rel="nofollow noopener noreferrer">{{ reference.url }}</a></li>
               {% endfor -%}
             </ul>
           </dd>
@@ -157,7 +157,7 @@ <h1 class="title">
                   <li>
                     <ul class="contact">
                       {%- for item in credit.contact -%}
-                      <li><a href="{{ item }}" target="_blank" rel="noopener noreferrer">{{ item }}</a></li>
+                      <li><a href="{{ item }}" target="_blank" rel="nofollow noopener noreferrer">{{ item }}</a></li>
                       {%- endfor -%}
                     </ul>
                   </li>
@@ -227,7 +227,7 @@ <h3 class="mdc-layout-grid__cell--span-3">Severity</h3>
                         {% if item | is_cvss %}
                           <span class="severity-level severity-{{ item | severity_level }}">{{ item | display_severity_rating }}</span>
                           {{ item.type }} - {{ item.score }}
-                          <a href="{{ item | cvss_calculator_url }}" target="_blank" rel="noopener noreferrer">
+                          <a href="{{ item | cvss_calculator_url }}" target="_blank" rel="nofollow noopener noreferrer">
                             CVSS Calculator</a>
                         {% else %}
                           <span class="severity-level severity-invalid">{{ item.type }} - {{ item.score }}</span>
@@ -257,7 +257,7 @@ <h3 class="mdc-layout-grid__cell--span-3">Affected ranges <a href="https://ossf.
                             <div class="mdc-layout-grid__cell--span-9 version-value">
                               {% set link = event | event_link -%}
                               {% if link -%}
-                                <a href="{{ link }}">{{ event | event_value -}}</a>
+                                <a href="{{ link }}" rel="nofollow">{{ event | event_value -}}</a>
                               {% elif event | event_type == 'Introduced' and event | event_value == '0' -%}
                                 <div class="tooltip">{{ event | event_value -}}
                                   {% if range.type == 'GIT' %}
@@ -364,7 +364,7 @@ <h3 class="mdc-layout-grid__cell--span-3">
             <dl>
               <dt>Name</dt>
               {%- if affected.package | package_in_ecosystem -%}
-              <dd><a href="{{ affected.package | package_in_ecosystem }}" target="_blank" rel="noopener noreferrer">{{
+              <dd><a href="{{ affected.package | package_in_ecosystem }}" target="_blank" rel="nofollow noopener noreferrer">{{
                   affected.package.name }}</a></dd>
               {%- else -%}
               <dd>{{ affected.package.name }}</dd>
@@ -393,7 +393,7 @@ <h3 class="mdc-layout-grid__cell--span-3">
                 {% if item | is_cvss %}
                   <span class="severity-level severity-{{ item | severity_level }}">{{ item | display_severity_rating }}</span>
                   {{ item.type }} - {{ item.score }}
-                  <a href="{{ item | cvss_calculator_url }}" target="_blank" rel="noopener noreferrer">
+                  <a href="{{ item | cvss_calculator_url }}" target="_blank" rel="nofollow noopener noreferrer">
                     CVSS Calculator</a>
                 {% else %}
                   <span class="severity-level severity-invalid">{{ item.type }} - {{ item.score }}</span>
@@ -430,7 +430,7 @@ <h3 class="mdc-layout-grid__cell--span-3">
                     <div class="mdc-layout-grid__cell--span-9 version-value">
                       {% set link = event | event_link -%}
                       {% if link -%}
-                        <a href="{{ link }}">
+                        <a href="{{ link }}" rel="nofollow">
                           {{ event | event_value -}}
                         </a>
                       {% elif event | event_type == 'Introduced' and event | event_value == '0' -%}