Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
integration
prechecker
Commits
19075785
Commit
19075785
authored
Feb 11, 2016
by
Cameron Ball
Committed by
Eloy Lafuente
Mar 08, 2016
Browse files
MDL-52651 htmlpurifier: Append rel=noreferrer to links.
Thank you to Zachary Durber for originally working on this issue.
parent
dc842157
Changes
4
Hide whitespace changes
Inline
Side-by-side
lib/htmlpurifier/locallib.php
View file @
19075785
...
...
@@ -119,3 +119,69 @@ class HTMLPurifier_URIScheme_teamspeak extends HTMLPurifier_URIScheme {
}
}
/**
* A custom HTMLPurifier transformation. Adds rel="noreferrer" to all links with target="_blank".
*
* @package core
* @copyright Cameron Ball
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class
HTMLPurifier_AttrTransform_Noreferrer
extends
HTMLPurifier_AttrTransform
{
/** @var HTMLPurifier_URIParser $parser */
private
$parser
;
/**
* Constructor.
*/
public
function
__construct
()
{
$this
->
parser
=
new
HTMLPurifier_URIParser
();
}
/**
* Transforms a tags such that when a target attribute is present, rel="noreferrer" is added.
*
* Note that this will not respect Attr.AllowedRel
*
* @param array $attr Assoc array of attributes, usually from
* HTMLPurifier_Token_Tag::$attr
* @param HTMLPurifier_Config $config Mandatory HTMLPurifier_Config object.
* @param HTMLPurifier_Context $context Mandatory HTMLPurifier_Context object
* @return array Processed attribute array.
*/
public
function
transform
(
$attr
,
$config
,
$context
)
{
// Nothing to do If we already have noreferrer in the rel attribute
if
(
!
empty
(
$attr
[
'rel'
])
&&
substr
(
$attr
[
'rel'
],
'noreferrer'
)
!==
false
)
{
return
$attr
;
}
// If _blank target attribute exists, add rel=noreferrer
if
(
!
empty
(
$attr
[
'target'
])
&&
$attr
[
'target'
]
==
'_blank'
)
{
$attr
[
'rel'
]
=
!
empty
(
$attr
[
'rel'
])
?
$attr
[
'rel'
]
.
' noreferrer'
:
'noreferrer'
;
}
return
$attr
;
}
}
/**
* A custom HTMLPurifier module to add rel="noreferrer" attributes a tags.
*
* @package core
* @copyright Cameron Ball
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class
HTMLPurifier_HTMLModule_Noreferrer
extends
HTMLPurifier_HTMLModule
{
/** @var string $name */
public
$name
=
'Noreferrer'
;
/**
* Module setup
*
* @param HTMLPurifier_Config $config
*/
public
function
setup
(
$config
)
{
$a
=
$this
->
addBlankElement
(
'a'
);
$a
->
attr_transform_post
[]
=
new
HTMLPurifier_AttrTransform_Noreferrer
();
}
}
lib/tests/htmlpurifier_test.php
View file @
19075785
...
...
@@ -40,9 +40,13 @@ class core_htmlpurifier_testcase extends basic_testcase {
* Verify _blank target is allowed.
*/
public
function
test_allow_blank_target
()
{
// See MDL-52651 for an explanation as to why the rel="noreferrer" attribute is expected here.
// Also note we do not need to test links with an existing rel attribute as the HTML Purifier is configured to remove
// the rel attribute.
$text
=
'<a href="http://moodle.org" target="_blank">Some link</a>'
;
$expected
=
'<a href="http://moodle.org" target="_blank" rel="noreferrer">Some link</a>'
;
$result
=
format_text
(
$text
,
FORMAT_HTML
);
$this
->
assertSame
(
$
t
ex
t
,
$result
);
$this
->
assertSame
(
$ex
pected
,
$result
);
$result
=
format_text
(
'<a href="http://moodle.org" target="some">Some link</a>'
,
FORMAT_HTML
);
$this
->
assertSame
(
'<a href="http://moodle.org">Some link</a>'
,
$result
);
...
...
lib/weblib.php
View file @
19075785
...
...
@@ -1733,7 +1733,7 @@ function purify_html($text, $options = array()) {
$config
=
HTMLPurifier_Config
::
createDefault
();
$config
->
set
(
'HTML.DefinitionID'
,
'moodlehtml'
);
$config
->
set
(
'HTML.DefinitionRev'
,
3
);
$config
->
set
(
'HTML.DefinitionRev'
,
4
);
$config
->
set
(
'Cache.SerializerPath'
,
$cachedir
);
$config
->
set
(
'Cache.SerializerPermissions'
,
$CFG
->
directorypermissions
);
$config
->
set
(
'Core.NormalizeNewlines'
,
false
);
...
...
@@ -1775,6 +1775,9 @@ function purify_html($text, $options = array()) {
// Use the built-in Ruby module to add annotation support.
$def
->
manager
->
addModule
(
new
HTMLPurifier_HTMLModule_Ruby
());
// Use the custom Noreferrer module.
$def
->
manager
->
addModule
(
new
HTMLPurifier_HTMLModule_Noreferrer
());
}
$purifier
=
new
HTMLPurifier
(
$config
);
...
...
mod/data/field/url/field.class.php
View file @
19075785
...
...
@@ -114,6 +114,7 @@ class data_field_url extends data_field_base {
if
(
$this
->
field
->
param3
)
{
// param3 defines whether this URL should open in a new window.
$attributes
[
'target'
]
=
'_blank'
;
$attributes
[
'rel'
]
=
'noreferrer'
;
}
if
(
empty
(
$text
))
{
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment