Page MenuHomePhabricator
Differential D19117

Remove autodetection for whether links need "noreferrer"
ClosedPublic
Actions

Authored by epriestley on Feb 18 2018, 1:09 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 19, 7:25 PM
Unknown Object (File)
Thu, Apr 18, 3:22 AM
Unknown Object (File)
Thu, Apr 11, 10:23 AM
Unknown Object (File)
Mon, Apr 8, 5:41 AM
Unknown Object (File)
Sat, Mar 30, 6:56 PM
Unknown Object (File)
Mar 23 2024, 5:42 PM
Unknown Object (File)
Mar 20 2024, 6:29 PM
Unknown Object (File)
Mar 20 2024, 11:15 AM
View All Files
Subscribers
None

Details

Reviewers
None
Commits
rPHU03e5605b42e4: (stable) Promote 2018 Week 8
rPHUa0de1601cb60: Remove autodetection for whether links need "noreferrer"
Summary

Via HackerOne. See https://hackerone.com/reports/317243.

We're still detecting these wrong because browsers treat <a href=" /<newline><tab>\evil.com">click here</a> as a valid protocol-relative link to evil.com.

Just give up and add "noreferrer" at the application level at all callsites, like we do with target="_blank" already.

Test Plan

Added failing tests; ran unit tests. See also next change.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
markup/
__tests__/
60 lines
engine/
__tests__/
remarkup/
16 lines
remarkup/
markuprule/
7 lines
7 lines
33 lines

Diff 45811

View Options

src/markup/__tests__/PhutilMarkupTestCase.php

Loading...
View Options

src/markup/engine/__tests__/remarkup/link-noreferrer.txt

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupDocumentLinkRule.php

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupHyperlinkRule.php

Loading...
View Options

src/markup/render.php

Loading...
Phabricator · Built by Phacility