Page MenuHomePhabricator
Differential D19117

Remove autodetection for whether links need "noreferrer"
ClosedPublic
Actions

Authored by epriestley on Feb 18 2018, 1:09 AM.
Tags
None
Referenced Files
F19925667: D19117.id45809.diff
Tue, Apr 7, 12:20 PM
F19913803: D19117.id45811.diff
Fri, Apr 3, 5:48 AM
F19829216: D19117.diff
Mar 10 2026, 2:30 AM
F19828055: D19117.diff
Mar 9 2026, 3:55 PM
F19804007: D19117.diff
Mar 2 2026, 4:14 AM
F19251206: D19117.id45809.diff
Dec 22 2025, 8:28 AM
F18869666: D19117.id.diff
Nov 4 2025, 12:54 PM
F18855118: D19117.diff
Nov 1 2025, 3:23 AM
View All Files
Subscribers
None

Details

Reviewers
None
Commits
rPHU03e5605b42e4: (stable) Promote 2018 Week 8
rPHUa0de1601cb60: Remove autodetection for whether links need "noreferrer"
Summary

Via HackerOne. See https://hackerone.com/reports/317243.

We're still detecting these wrong because browsers treat <a href=" /<newline><tab>\evil.com">click here</a> as a valid protocol-relative link to evil.com.

Just give up and add "noreferrer" at the application level at all callsites, like we do with target="_blank" already.

Test Plan

Added failing tests; ran unit tests. See also next change.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
markup/
__tests__/
60 lines
engine/
__tests__/
remarkup/
16 lines
remarkup/
markuprule/
7 lines
7 lines
33 lines

Diff 45811

View Options

src/markup/__tests__/PhutilMarkupTestCase.php

Loading...
View Options

src/markup/engine/__tests__/remarkup/link-noreferrer.txt

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupDocumentLinkRule.php

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupHyperlinkRule.php

Loading...
View Options

src/markup/render.php

Loading...
Phabricator · Built by Phacility