revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-02 03:32:42 +01:00
Code Issues Releases Wiki Activity

Explicitly add rel="noreferrer" to all external links

Browse source 
Summary: See D19117. Instead of automatically figuring this out inside `phutil_tag()`, explicitly add rel="noreferrer" at the application level to all external links.

Test Plan:
  - Grepped for `_blank`, `isValidRemoteURIForLink`, checked all callsites for user-controlled data.
  - Created a link menu item, verified noreferrer in markup.
  - Created a link custom field, verified no referrer in markup.
  - Verified noreferrer for `{nav href=...}`.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Differential Revision: https://secure.phabricator.com/D19118
This commit is contained in:
epriestley 2018-02-17 17:37:38 -08:00
parent eb3fd2b7f5
commit 05a4c55c52
11 changed files with 49 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/applications/auth/view/PhabricatorAuthAccountView.php
View file

@ -77,6 +77,7 @@ final class PhabricatorAuthAccountView extends AphrontView {
array( array(
'href' => $account_uri, 'href' => $account_uri,
'target' => '_blank', 'target' => '_blank',
'rel' => 'noreferrer',
), ),
$account_uri); $account_uri);
} }

1
src/applications/calendar/import/PhabricatorCalendarICSURIImportEngine.php
View file

@ -45,6 +45,7 @@ final class PhabricatorCalendarICSURIImportEngine
array( array(
'href' => $uri, 'href' => $uri,
'target' => '_blank', 'target' => '_blank',
'rel' => 'noreferrer',
), ),
$uri); $uri);
} }

8
src/applications/files/markup/PhabricatorImageRemarkupRule.php
View file

@ -20,7 +20,6 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
$defaults = array( $defaults = array(
'uri' => null, 'uri' => null,
'alt' => null, 'alt' => null,
'href' => null,
'width' => null, 'width' => null,
'height' => null, 'height' => null,
); );
@ -45,10 +44,6 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
$args += $defaults; $args += $defaults;
if ($args['href'] && !PhabricatorEnv::isValidURIForLink($args['href'])) {
$args['href'] = null;
}
if ($args['uri']) { if ($args['uri']) {
$src_uri = id(new PhutilURI('/file/imageproxy/')) $src_uri = id(new PhutilURI('/file/imageproxy/'))
->setQueryParam('uri', (string)$args['uri']); ->setQueryParam('uri', (string)$args['uri']);
@ -57,10 +52,9 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
array( array(
'src' => $src_uri, 'src' => $src_uri,
'alt' => $args['alt'], 'alt' => $args['alt'],
'href' => $args['href'],
'width' => $args['width'], 'width' => $args['width'],
'height' => $args['height'], 'height' => $args['height'],
)); ));
return $this->getEngine()->storeText($img); return $this->getEngine()->storeText($img);
} else { } else {
return $matches[0]; return $matches[0];

1
src/applications/harbormaster/artifact/HarbormasterURIArtifact.php
View file

@ -81,6 +81,7 @@ final class HarbormasterURIArtifact extends HarbormasterArtifact {
array( array(
'href' => $uri, 'href' => $uri,
'target' => '_blank', 'target' => '_blank',
'rel' => 'noreferrer',
), ),
$name); $name);
} }

2
src/applications/nuance/item/NuanceGitHubEventItemType.php
View file

@ -309,6 +309,8 @@ final class NuanceGitHubEventItemType
'a', 'a',
array( array(
'href' => $event_uri, 'href' => $event_uri,
'target' => '_blank',
'rel' => 'noreferrer',
), ),
$event_uri); $event_uri);
} }

1
src/applications/phurl/remarkup/PhabricatorPhurlLinkRemarkupRule.php
View file

@ -64,6 +64,7 @@ final class PhabricatorPhurlLinkRemarkupRule extends PhutilRemarkupRule {
array( array(
'href' => $uri, 'href' => $uri,
'target' => '_blank', 'target' => '_blank',
'rel' => 'noreferrer',
), ),
$name); $name);
} }

3
src/applications/search/menuitem/PhabricatorLinkProfileMenuItem.php
View file

@ -99,7 +99,8 @@ final class PhabricatorLinkProfileMenuItem
->setHref($href) ->setHref($href)
->setName($name) ->setName($name)
->setIcon($icon_class) ->setIcon($icon_class)
->setTooltip($tooltip); ->setTooltip($tooltip)
->setRel('noreferrer');
return array( return array(
$item, $item,

6
src/infrastructure/customfield/standard/PhabricatorStandardCustomFieldLink.php
View file

@ -31,7 +31,11 @@ final class PhabricatorStandardCustomFieldLink
return phutil_tag( return phutil_tag(
'a', 'a',
array('href' => $value, 'target' => '_blank'), array(
'href' => $value,
'target' => '_blank',
'rel' => 'noreferrer',
),
$value); $value);
} }

3
src/view/layout/PhabricatorActionView.php
View file

@ -255,8 +255,10 @@ final class PhabricatorActionView extends AphrontView {
} else { } else {
if ($this->getOpenInNewWindow()) { if ($this->getOpenInNewWindow()) {
$target = '_blank'; $target = '_blank';
$rel = 'noreferrer';
} else { } else {
$target = null; $target = null;
$rel = null;
} }
if ($this->submenu) { if ($this->submenu) {
@ -277,6 +279,7 @@ final class PhabricatorActionView extends AphrontView {
'href' => $this->getHref(), 'href' => $this->getHref(),
'class' => 'phabricator-action-view-item', 'class' => 'phabricator-action-view-item',
'target' => $target, 'target' => $target,
'rel' => $rel,
'sigil' => $sigils, 'sigil' => $sigils,
'meta' => $this->metadata, 'meta' => $this->metadata,
), ),

13
src/view/phui/PHUIListItemView.php
View file

@ -34,6 +34,7 @@ final class PHUIListItemView extends AphrontTagView {
private $actionIcon; private $actionIcon;
private $actionIconHref; private $actionIconHref;
private $count; private $count;
private $rel;
public function setOpenInNewWindow($open_in_new_window) { public function setOpenInNewWindow($open_in_new_window) {
$this->openInNewWindow = $open_in_new_window; $this->openInNewWindow = $open_in_new_window;
@ -44,7 +45,16 @@ final class PHUIListItemView extends AphrontTagView {
return $this->openInNewWindow; return $this->openInNewWindow;
} }
public function setHideInApplicationMenu($hide) { public function setRel($rel) {
$this->rel = $rel;
return $this;
}
public function getRel() {
return $this->rel;
}
public function setHideInApplicationMenu($hide) {
$this->hideInApplicationMenu = $hide; $this->hideInApplicationMenu = $hide;
return $this; return $this;
} }
@ -363,6 +373,7 @@ final class PHUIListItemView extends AphrontTagView {
'meta' => $meta, 'meta' => $meta,
'sigil' => $sigil, 'sigil' => $sigil,
'target' => $this->getOpenInNewWindow() ? '_blank' : null, 'target' => $this->getOpenInNewWindow() ? '_blank' : null,
'rel' => $this->rel,
), ),
array( array(
$aural, $aural,

35
src/view/phui/PHUITagView.php
View file

@ -154,25 +154,30 @@ final class PHUITagView extends AphrontTagView {
$classes[] = 'phui-tag-'.$this->border; $classes[] = 'phui-tag-'.$this->border;
} }
if ($this->phid) { $attributes = array(
Javelin::initBehavior('phui-hovercards'); 'href' => $this->href,
'class' => $classes,
);
$attributes = array( if ($this->external) {
'href' => $this->href, $attributes += array(
'sigil' => 'hovercard', 'target' => '_blank',
'meta' => array( 'rel' => 'noreferrer',
'hoverPHID' => $this->phid,
),
'target' => $this->external ? '_blank' : null,
);
} else {
$attributes = array(
'href' => $this->href,
'target' => $this->external ? '_blank' : null,
); );
} }
return $attributes + array('class' => $classes); if ($this->phid) {
Javelin::initBehavior('phui-hovercards');
$attributes += array(
'sigil' => 'hovercard',
'meta' => array(
'hoverPHID' => $this->phid,
),
);
}
return $attributes;
} }
protected function getTagContent() { protected function getTagContent() {