Ok, so when linkifying anything, it's just going to be a js-only effect. As such, rel="nofollow" doesn't seem that critical (only search engines that parse js would actually see the effects on linkify). But if you use linkify on user-generated content (the use case that is most applicable to not just doing it server-side) random spammers who come by a site are going to see $$$ chi-ching, links that they can create that don't appear to be nofollowed, that appear to pass link juice.

So I think to avoid the appearance of vulnerability to spamming, the links created should get rel='nofollow' by default. Of course, the added bonus of a setting to take off nofollow would be nice, though I'm not sure that's even necessary since the use case for non-nofollow js-created dynamic links is a tiny subset of use-cases.

The change introduced to make linkify only run on text nodes has actually introduced a major XSS problem. Because the value of the node is retrieved as text, but put back as HTML, it will actually convert any HTML-encoded tags into HTML.

See http://jsfiddle.net/BH9Kc/ for a proof of concept (contains current version of linkify inline). The page previously contained a completely safe HTML-encoded script tag, but once linkify is run it gets executed.

This bug was introduced with commit 07286dd. Reverting this commit stops the problem, but probably reintroduces the problems with running on non-text nodes.

By default, if I linkify www.google.com, I get a link to the following: http://localhost:3000/users/www.google.com

There should be an option or a way to force http:// at the beginning

EDIT: this plugin works: http://stackoverflow.com/questions/9156458/when-using-jquery-linkify-plugin-how-do-i-truncate-the-url

Hi @uudashr . I've noticed that you have licensed several other projects under the MIT License but cannot find any licensing information for jquery-linkify. What license applies to this project? Thanks very much.

Code:

         some text

When using linkify leading spaces (before "some text" in example above) are removed. It should not happen.

http://jsfiddle.net/ZkfDE/

Links that are already properly formed are not overlooked.