mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 02:32:42 +01:00
Explicitly add rel="noreferrer" to all external links
Summary: See D19117. Instead of automatically figuring this out inside `phutil_tag()`, explicitly add rel="noreferrer" at the application level to all external links. Test Plan: - Grepped for `_blank`, `isValidRemoteURIForLink`, checked all callsites for user-controlled data. - Created a link menu item, verified noreferrer in markup. - Created a link custom field, verified no referrer in markup. - Verified noreferrer for `{nav href=...}`. Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam Differential Revision: https://secure.phabricator.com/D19118
This commit is contained in:
parent
eb3fd2b7f5
commit
05a4c55c52
11 changed files with 49 additions and 25 deletions
|
@ -77,6 +77,7 @@ final class PhabricatorAuthAccountView extends AphrontView {
|
|||
array(
|
||||
'href' => $account_uri,
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
),
|
||||
$account_uri);
|
||||
}
|
||||
|
|
|
@ -45,6 +45,7 @@ final class PhabricatorCalendarICSURIImportEngine
|
|||
array(
|
||||
'href' => $uri,
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
),
|
||||
$uri);
|
||||
}
|
||||
|
|
|
@ -20,7 +20,6 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
|
|||
$defaults = array(
|
||||
'uri' => null,
|
||||
'alt' => null,
|
||||
'href' => null,
|
||||
'width' => null,
|
||||
'height' => null,
|
||||
);
|
||||
|
@ -45,10 +44,6 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
|
|||
|
||||
$args += $defaults;
|
||||
|
||||
if ($args['href'] && !PhabricatorEnv::isValidURIForLink($args['href'])) {
|
||||
$args['href'] = null;
|
||||
}
|
||||
|
||||
if ($args['uri']) {
|
||||
$src_uri = id(new PhutilURI('/file/imageproxy/'))
|
||||
->setQueryParam('uri', (string)$args['uri']);
|
||||
|
@ -57,10 +52,9 @@ final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
|
|||
array(
|
||||
'src' => $src_uri,
|
||||
'alt' => $args['alt'],
|
||||
'href' => $args['href'],
|
||||
'width' => $args['width'],
|
||||
'height' => $args['height'],
|
||||
));
|
||||
));
|
||||
return $this->getEngine()->storeText($img);
|
||||
} else {
|
||||
return $matches[0];
|
||||
|
|
|
@ -81,6 +81,7 @@ final class HarbormasterURIArtifact extends HarbormasterArtifact {
|
|||
array(
|
||||
'href' => $uri,
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
),
|
||||
$name);
|
||||
}
|
||||
|
|
|
@ -309,6 +309,8 @@ final class NuanceGitHubEventItemType
|
|||
'a',
|
||||
array(
|
||||
'href' => $event_uri,
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
),
|
||||
$event_uri);
|
||||
}
|
||||
|
|
|
@ -64,6 +64,7 @@ final class PhabricatorPhurlLinkRemarkupRule extends PhutilRemarkupRule {
|
|||
array(
|
||||
'href' => $uri,
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
),
|
||||
$name);
|
||||
}
|
||||
|
|
|
@ -99,7 +99,8 @@ final class PhabricatorLinkProfileMenuItem
|
|||
->setHref($href)
|
||||
->setName($name)
|
||||
->setIcon($icon_class)
|
||||
->setTooltip($tooltip);
|
||||
->setTooltip($tooltip)
|
||||
->setRel('noreferrer');
|
||||
|
||||
return array(
|
||||
$item,
|
||||
|
|
|
@ -31,7 +31,11 @@ final class PhabricatorStandardCustomFieldLink
|
|||
|
||||
return phutil_tag(
|
||||
'a',
|
||||
array('href' => $value, 'target' => '_blank'),
|
||||
array(
|
||||
'href' => $value,
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
),
|
||||
$value);
|
||||
}
|
||||
|
||||
|
|
|
@ -255,8 +255,10 @@ final class PhabricatorActionView extends AphrontView {
|
|||
} else {
|
||||
if ($this->getOpenInNewWindow()) {
|
||||
$target = '_blank';
|
||||
$rel = 'noreferrer';
|
||||
} else {
|
||||
$target = null;
|
||||
$rel = null;
|
||||
}
|
||||
|
||||
if ($this->submenu) {
|
||||
|
@ -277,6 +279,7 @@ final class PhabricatorActionView extends AphrontView {
|
|||
'href' => $this->getHref(),
|
||||
'class' => 'phabricator-action-view-item',
|
||||
'target' => $target,
|
||||
'rel' => $rel,
|
||||
'sigil' => $sigils,
|
||||
'meta' => $this->metadata,
|
||||
),
|
||||
|
|
|
@ -34,6 +34,7 @@ final class PHUIListItemView extends AphrontTagView {
|
|||
private $actionIcon;
|
||||
private $actionIconHref;
|
||||
private $count;
|
||||
private $rel;
|
||||
|
||||
public function setOpenInNewWindow($open_in_new_window) {
|
||||
$this->openInNewWindow = $open_in_new_window;
|
||||
|
@ -44,7 +45,16 @@ final class PHUIListItemView extends AphrontTagView {
|
|||
return $this->openInNewWindow;
|
||||
}
|
||||
|
||||
public function setHideInApplicationMenu($hide) {
|
||||
public function setRel($rel) {
|
||||
$this->rel = $rel;
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function getRel() {
|
||||
return $this->rel;
|
||||
}
|
||||
|
||||
public function setHideInApplicationMenu($hide) {
|
||||
$this->hideInApplicationMenu = $hide;
|
||||
return $this;
|
||||
}
|
||||
|
@ -363,6 +373,7 @@ final class PHUIListItemView extends AphrontTagView {
|
|||
'meta' => $meta,
|
||||
'sigil' => $sigil,
|
||||
'target' => $this->getOpenInNewWindow() ? '_blank' : null,
|
||||
'rel' => $this->rel,
|
||||
),
|
||||
array(
|
||||
$aural,
|
||||
|
|
|
@ -154,25 +154,30 @@ final class PHUITagView extends AphrontTagView {
|
|||
$classes[] = 'phui-tag-'.$this->border;
|
||||
}
|
||||
|
||||
if ($this->phid) {
|
||||
Javelin::initBehavior('phui-hovercards');
|
||||
$attributes = array(
|
||||
'href' => $this->href,
|
||||
'class' => $classes,
|
||||
);
|
||||
|
||||
$attributes = array(
|
||||
'href' => $this->href,
|
||||
'sigil' => 'hovercard',
|
||||
'meta' => array(
|
||||
'hoverPHID' => $this->phid,
|
||||
),
|
||||
'target' => $this->external ? '_blank' : null,
|
||||
);
|
||||
} else {
|
||||
$attributes = array(
|
||||
'href' => $this->href,
|
||||
'target' => $this->external ? '_blank' : null,
|
||||
if ($this->external) {
|
||||
$attributes += array(
|
||||
'target' => '_blank',
|
||||
'rel' => 'noreferrer',
|
||||
);
|
||||
}
|
||||
|
||||
return $attributes + array('class' => $classes);
|
||||
if ($this->phid) {
|
||||
Javelin::initBehavior('phui-hovercards');
|
||||
|
||||
$attributes += array(
|
||||
'sigil' => 'hovercard',
|
||||
'meta' => array(
|
||||
'hoverPHID' => $this->phid,
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
return $attributes;
|
||||
}
|
||||
|
||||
protected function getTagContent() {
|
||||
|
|
Loading…
Reference in a new issue