Redirect — Outbound Link Manager #

Purpose #

Provides a secure transition bridge for users leaving the platform via external links. It informs the user of the redirection, implements a safety delay, and performs basic bot/human detection to prevent automated scraping or referral abuse.

How it works #

The redirector operates in two phases to ensure a balance between user experience and security:

Server-side (PHP):

Trust Scoring: Evaluates a $confidence\_level based on Sec-Fetch headers, session existence, and referrers.

URL Sanitization: Validates and forces the https:// protocol on target URLs.

Bot Mitigation: Identifies non-human navigation patterns.

Client-side (JavaScript):

Countdown: A 6-second timer is initiated upon page load.

Auto-Redirection: Once the timer reaches zero, the browser navigates to the target URL.

Fallback: A <meta http-equiv="Refresh"> tag acts as a secondary mechanism.

Confidence Scoring #

The engine uses a weighted point system to determine the nature of the visitor:

+2 points: Presence of HTTP\_SEC\_FETCH\_USER.

+2 points: Active PHPSESSID.

+1 point: Valid HTTP\_REFERER.

Security #

XSS Protection: The target URL is sanitized to prevent injection.

IP Banning: Integrated logic to log and ban IPs associated with XSS referer abuse in the banned\_ips table.

Structure #

/plugins/redirect/

├── redirect.php

├── /locale/

│ ├── redirect.en.inc.php

│ └── redirect.fr.inc.php

└── /doc/

└── redirect.md

Translations #

5 primary translation keys in $dialredirect\[]:

[0] — Departure notice

[1] — Redirection message

[2] — Time unit (seconds)

[3] — External content disclaimer

[4] — Bot access denial message

Changelog #

1.08.0 (2026-02-07): Integration of Fetch Metadata headers for improved human detection.

1.0.0 (2004): Original release.