Is this inteded to be applied to links autogenerated in notes and such?

I am thinking there is no harm in applying it to all links within Mantis. Independent of whether they are typed by anonymous user, developer, they are hyperlinked issue numbers, etc. I also don't think it should be configurable at this stage.

This should only apply to external URLs. You don't want to put nofollow on your internal links, because then your site will not get indexed properly and/or your site will not be easily found by those searching about their problems. Because it would be a smaller subset of links being processed to only add nofollow to external links, it could easily be configured to the site maintainer's benefit:

• Notes created by DEVELOPER access or higher should not be set to nofollow, so that valid reference locations can still be indexed accordingly. The threat of spam from users with this access level should be below negligible.
• Notes to a certain list of domains (listed in config_inc.php methinks) should not have nofollow added. This will allow sister sites (wikis, manuals, etc) to be properly indexed even in unprivileged users' comments, while thwarting spam attempts to unrelated websites.

By restricting the application of nofollow to links to untrusted sites by untrusted users, you can still help to stop spam without preventing Google et al from properly indexing links to valid reference sites and materials. It would be worse to blindly apply nofollow to every link on Mantis than it would be to not apply it at all.

I agree with jreese's comments. The trusted threshold and sites should be configurable.

Ok, let's see if we can sort this out without YACP (Yet Another Configuration Parameter) :)

About the threshold, the point of the rel="nofollow" property is to avoid comment spam by removing the gain spammers get on thir page ranks.

Spammers will (eventaully) try to use:

1. the anonymous login
2. a newly created account

I think it is unlikely that a spammer will ever get an access level above 2, otherwise you have bigger problems to worry about...

For this reason, I think we should add the nofollow tag to links cretated by users below $g_default_new_account_access_level

I am not sure about "whitelisting" links because, as the googleblog says, the nofollow tag will affect only the target page rank in searches, not the indexing phase that will be performed as usual.

If you really want to whitelist something, I'd propose to use the installation domain, but I believe this is marginal gain

If you're dead set against adding configuration parameters, then I think a good baseline would be to do this:

• Place the nofollow attribute on all links except:
  -- Links to the same parent domain running the Mantis installation, including other subdomains.
  -- Links posted by users above default_new_account_access_level.

I would still prefer to give the user the ability to whitelist other sites, but as you've said, it's not truly devastating to leave that out of the picture.

Removed assignment. giallu will not contribute to this issue in near future.

I can see the HTML-ization of links in user content is currently done in the function 'string_insert_hrefs' in /core/string_api.php

Would a plugin be able to do this?

Would a plugin be able to do this?

The implementation in MantisBT is a plugin.
Have a look at plugins/MantisCoreFormatting

I would like to take a shot at this. Will submit a PR soon.

Thanks @c_schmitz, do not hesitate to ask if you need help.

See https://github.com/mantisbt/mantisbt/pull/2044

Thank you @c_schmitz for your contribution !