Lack of interest Per user group setting to globally disallow posting external links


Well-known member
For spam control, I'd like to see a per user-group setting to globally disallow posting external links in any way, shape, or form. By default have it turned on for the "New Members" group. This would disallow posting external URLs/email addresses in messages, personal conversations, signatures, profile messages, in any of the personal details fields including "homepage"— and anywhere else you might possibly be able to post a URL. Of course, this would be smart enough to still allow posting a URL to another thread on your own site.


XenForo developer
Staff member
Define "disable". Block posting if an external URL is found? Block posting if an external URL is linked via BB code? Or strip out auto linking? Blocking posting if a linked URL is found is dangerous as IE (at least) will auto-link URLs pasted into a WYSIWYG editor.


Well-known member
My first inclination would be to show an error if an external URL is found and have the user go back and remove it. Another, less drastic option would be to ensure than any external URL that is found is not turned into a clickable link in any way, or if it's already a link (due to bbcode or IE behavior) then remove the link and have it be plain text. I would be fine with either one of these behaviours.


The best way is to disable bbcode parsing for a specific usergroup in this case URL. No need to strip out urls or do anything "regexey" with the post.

But i think we should abstract this feature and have full bbcode control but i'm not to sure about that becau i want to make sure i'm not requesting features that will add bloat. Ill have to see what the devs thinks if this is invading on their principles.


Well-known member
I see usergroup-specific bbcode parsing permissions as a separate (and useful) suggestion.

What I want here is a one-stop option to completely stop members of a usergroup from including URLs (possibly even unlinked URLs) in *any* content they submit anywhere on the site.

I hadn't thought of implementing it like this, but your comment got me thinking. You could basically do this in your global bootstrapping code:

if (is POST request, and a string resembling a URL or even a domain name is found in any of the POST data)
        // show error message about not having permission to post URLs/websites/domains
That could be pretty dangerous, but if done right, it could work as well and would automatically apply to any new features as well.