Page MenuHomePhabricator
Differential D19117

Remove autodetection for whether links need "noreferrer"
ClosedPublic
Actions

Authored by epriestley on Feb 18 2018, 1:09 AM.
Tags
None
Referenced Files
F18566602: D19117.id.diff
Tue, Sep 9, 2:46 PM
F18502200: D19117.diff
Thu, Sep 4, 10:16 PM
F18353355: D19117.diff
Wed, Aug 27, 12:53 AM
F18353023: D19117.diff
Wed, Aug 27, 12:31 AM
F18109376: D19117.id45809.diff
Mon, Aug 11, 1:19 PM
F18104947: D19117.id.diff
Aug 10 2025, 3:14 PM
F18099693: D19117.diff
Aug 9 2025, 7:48 AM
F17998207: D19117.id45811.diff
Aug 2 2025, 5:39 AM
View All Files
Subscribers
None

Details

Reviewers
None
Commits
rPHU03e5605b42e4: (stable) Promote 2018 Week 8
rPHUa0de1601cb60: Remove autodetection for whether links need "noreferrer"
Summary

Via HackerOne. See https://hackerone.com/reports/317243.

We're still detecting these wrong because browsers treat <a href=" /<newline><tab>\evil.com">click here</a> as a valid protocol-relative link to evil.com.

Just give up and add "noreferrer" at the application level at all callsites, like we do with target="_blank" already.

Test Plan

Added failing tests; ran unit tests. See also next change.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
markup/
__tests__/
60 lines
engine/
__tests__/
remarkup/
16 lines
remarkup/
markuprule/
7 lines
7 lines
33 lines

Diff 45811

View Options

src/markup/__tests__/PhutilMarkupTestCase.php

Loading...
View Options

src/markup/engine/__tests__/remarkup/link-noreferrer.txt

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupDocumentLinkRule.php

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupHyperlinkRule.php

Loading...
View Options

src/markup/render.php

Loading...
Phabricator · Built by Phacility