revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 16:52:41 +01:00
Code Issues Releases Wiki Activity

Explicitly add rel="noreferrer" to all external links

Browse source 
Summary: See D19117. Instead of automatically figuring this out inside `phutil_tag()`, explicitly add rel="noreferrer" at the application level to all external links.

Test Plan:
  - Grepped for `_blank`, `isValidRemoteURIForLink`, checked all callsites for user-controlled data.
  - Created a link menu item, verified noreferrer in markup.
  - Created a link custom field, verified no referrer in markup.
  - Verified noreferrer for `{nav href=...}`.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Differential Revision: https://secure.phabricator.com/D19118
This commit is contained in:
epriestley 2018-02-17 17:37:38 -08:00
parent eb3fd2b7f5
commit 05a4c55c52
11 changed files with 49 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/applications/auth/view/PhabricatorAuthAccountView.php
View file

@ -77,6 +77,7 @@ final class PhabricatorAuthAccountView extends AphrontView {
array(
'href' => $account_uri,
'target' => '_blank',
'rel' => 'noreferrer',
),
$account_uri);
}

1
src/applications/calendar/import/PhabricatorCalendarICSURIImportEngine.php
View file

@ -45,6 +45,7 @@ final class PhabricatorCalendarICSURIImportEngine
array(
'href' => $uri,
'target' => '_blank',
'rel' => 'noreferrer',
),
$uri);
}

8
src/applications/files/markup/PhabricatorImageRemarkupRule.php
View file

@ -20,7 +20,6 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
$defaults = array(
'uri' => null,
'alt' => null,
'href' => null,
'width' => null,
'height' => null,
);
@ -45,10 +44,6 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
$args += $defaults;
if ($args['href'] && !PhabricatorEnv::isValidURIForLink($args['href'])) {
$args['href'] = null;
}
if ($args['uri']) {
$src_uri = id(new PhutilURI('/file/imageproxy/'))
->setQueryParam('uri', (string)$args['uri']);
@ -57,10 +52,9 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
array(
'src' => $src_uri,
'alt' => $args['alt'],
'href' => $args['href'],
'width' => $args['width'],
'height' => $args['height'],
));
));
return $this->getEngine()->storeText($img);
} else {
return $matches[0];

1
src/applications/harbormaster/artifact/HarbormasterURIArtifact.php
View file

@ -81,6 +81,7 @@ final class HarbormasterURIArtifact extends HarbormasterArtifact {
array(
'href' => $uri,
'target' => '_blank',
'rel' => 'noreferrer',
),
$name);
}

2
src/applications/nuance/item/NuanceGitHubEventItemType.php
View file

@ -309,6 +309,8 @@ final class NuanceGitHubEventItemType
'a',
array(
'href' => $event_uri,
'target' => '_blank',
'rel' => 'noreferrer',
),
$event_uri);
}

1
src/applications/phurl/remarkup/PhabricatorPhurlLinkRemarkupRule.php
View file

@ -64,6 +64,7 @@ final class PhabricatorPhurlLinkRemarkupRule extends PhutilRemarkupRule {
array(
'href' => $uri,
'target' => '_blank',
'rel' => 'noreferrer',
),
$name);
}

3
src/applications/search/menuitem/PhabricatorLinkProfileMenuItem.php
View file

@ -99,7 +99,8 @@ final class PhabricatorLinkProfileMenuItem
->setHref($href)
->setName($name)
->setIcon($icon_class)
->setTooltip($tooltip);
->setTooltip($tooltip)
->setRel('noreferrer');
return array(
$item,

6
src/infrastructure/customfield/standard/PhabricatorStandardCustomFieldLink.php
View file

@ -31,7 +31,11 @@ final class PhabricatorStandardCustomFieldLink
return phutil_tag(
'a',
array('href' => $value, 'target' => '_blank'),
array(
'href' => $value,
'target' => '_blank',
'rel' => 'noreferrer',
),
$value);
}

3
src/view/layout/PhabricatorActionView.php
View file

@ -255,8 +255,10 @@ final class PhabricatorActionView extends AphrontView {
} else {
if ($this->getOpenInNewWindow()) {
$target = '_blank';
$rel = 'noreferrer';
} else {
$target = null;
$rel = null;
}
if ($this->submenu) {
@ -277,6 +279,7 @@ final class PhabricatorActionView extends AphrontView {
'href' => $this->getHref(),
'class' => 'phabricator-action-view-item',
'target' => $target,
'rel' => $rel,
'sigil' => $sigils,
'meta' => $this->metadata,
),

13
src/view/phui/PHUIListItemView.php
View file

@ -34,6 +34,7 @@ final class PHUIListItemView extends AphrontTagView {
private $actionIcon;
private $actionIconHref;
private $count;
private $rel;
public function setOpenInNewWindow($open_in_new_window) {
$this->openInNewWindow = $open_in_new_window;
@ -44,7 +45,16 @@ final class PHUIListItemView extends AphrontTagView {
return $this->openInNewWindow;
}
public function setHideInApplicationMenu($hide) {
public function setRel($rel) {
$this->rel = $rel;
return $this;
}
public function getRel() {
return $this->rel;
}
public function setHideInApplicationMenu($hide) {
$this->hideInApplicationMenu = $hide;
return $this;
}
@ -363,6 +373,7 @@ final class PHUIListItemView extends AphrontTagView {
'meta' => $meta,
'sigil' => $sigil,
'target' => $this->getOpenInNewWindow() ? '_blank' : null,
'rel' => $this->rel,
),
array(
$aural,

35
src/view/phui/PHUITagView.php
View file

@ -154,25 +154,30 @@ final class PHUITagView extends AphrontTagView {
$classes[] = 'phui-tag-'.$this->border;
}
if ($this->phid) {
Javelin::initBehavior('phui-hovercards');
$attributes = array(
'href' => $this->href,
'class' => $classes,
);
$attributes = array(
'href' => $this->href,
'sigil' => 'hovercard',
'meta' => array(
'hoverPHID' => $this->phid,
),
'target' => $this->external ? '_blank' : null,
);
} else {
$attributes = array(
'href' => $this->href,
'target' => $this->external ? '_blank' : null,
if ($this->external) {
$attributes += array(
'target' => '_blank',
'rel' => 'noreferrer',
);
}
return $attributes + array('class' => $classes);
if ($this->phid) {
Javelin::initBehavior('phui-hovercards');
$attributes += array(
'sigil' => 'hovercard',
'meta' => array(
'hoverPHID' => $this->phid,
),
);
}
return $attributes;
}
protected function getTagContent() {