Page MenuHomePhabricator
Differential D19117

Remove autodetection for whether links need "noreferrer"
ClosedPublic
Actions

Authored by epriestley on Feb 18 2018, 1:09 AM.
Tags
None
Referenced Files
F14492016: D19117.id45811.diff
Thu, Jan 2, 2:43 PM
Unknown Object (File)
Wed, Jan 1, 4:39 PM
Unknown Object (File)
Tue, Dec 31, 6:30 PM
Unknown Object (File)
Mon, Dec 30, 10:23 PM
Unknown Object (File)
Mon, Dec 30, 8:45 PM
Unknown Object (File)
Sun, Dec 29, 4:18 AM
Unknown Object (File)
Thu, Dec 19, 7:09 PM
Unknown Object (File)
Thu, Dec 19, 7:09 PM
View All Files
Subscribers
None

Details

Reviewers
None
Commits
rPHU03e5605b42e4: (stable) Promote 2018 Week 8
rPHUa0de1601cb60: Remove autodetection for whether links need "noreferrer"
Summary

Via HackerOne. See https://hackerone.com/reports/317243.

We're still detecting these wrong because browsers treat <a href=" /<newline><tab>\evil.com">click here</a> as a valid protocol-relative link to evil.com.

Just give up and add "noreferrer" at the application level at all callsites, like we do with target="_blank" already.

Test Plan

Added failing tests; ran unit tests. See also next change.

Diff Detail

Repository
rPHU libphutil
Branch
noreferrer
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 19617
Build 26556: Run Core Tests
Build 26555: arc lint + arc unit

Revision Contents
Changeset List

PathSize
src/
markup/
__tests__/
60 lines
engine/
__tests__/
remarkup/
16 lines
remarkup/
markuprule/
7 lines
7 lines
33 lines

Diff 45809

View Options

src/markup/__tests__/PhutilMarkupTestCase.php

Loading...
View Options

src/markup/engine/__tests__/remarkup/link-noreferrer.txt

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupDocumentLinkRule.php

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupHyperlinkRule.php

Loading...
View Options

src/markup/render.php

Loading...
Phabricator · Built by Phacility