Page MenuHomePhabricator

Explicitly add rel="noreferrer" to all external links
ClosedPublic

Authored by epriestley on Feb 18 2018, 1:43 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Mar 23, 5:44 PM
Unknown Object (File)
Sat, Mar 23, 5:42 PM
Unknown Object (File)
Wed, Mar 20, 6:29 PM
Unknown Object (File)
Wed, Mar 20, 6:29 PM
Unknown Object (File)
Wed, Mar 20, 11:16 AM
Unknown Object (File)
Mon, Mar 4, 5:09 PM
Unknown Object (File)
Feb 27 2024, 4:42 PM
Unknown Object (File)
Feb 16 2024, 6:55 PM
Subscribers
Restricted Owners Package

Details

Summary

See D19117. Instead of automatically figuring this out inside phutil_tag(), explicitly add rel="noreferrer" at the application level to all external links.

Test Plan
  • Grepped for _blank, isValidRemoteURIForLink, checked all callsites for user-controlled data.
  • Created a link menu item, verified noreferrer in markup.
  • Created a link custom field, verified no referrer in markup.
  • Verified noreferrer for {nav href=...}.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Owners added a subscriber: Restricted Owners Package.Feb 18 2018, 1:43 AM
This revision was not accepted when it landed; it landed in state Needs Review.Feb 18 2018, 1:44 AM
epriestley requested review of this revision.
This revision was automatically updated to reflect the committed changes.
src/applications/files/markup/PhabricatorImageRemarkupRule.php
23

This was rendering <img href="..." /> which has no effect since href doesn't go on img.