HomePhabricator
Diffusion libphutil a0de1601cb60

Remove autodetection for whether links need "noreferrer"
a0de1601cb60
Actions

Description

Remove autodetection for whether links need "noreferrer"

Summary:
Via HackerOne. See https://hackerone.com/reports/317243.

We're still detecting these wrong because browsers treat <a href=" /<newline><tab>\evil.com">click here</a> as a valid protocol-relative link to evil.com.

Just give up and add "noreferrer" at the application level at all callsites, like we do with target="_blank" already.

Test Plan: Added failing tests; ran unit tests. See also next change.

Differential Revision: https://secure.phabricator.com/D19117

Details

Provenance
epriestleyAuthored on Feb 18 2018, 1:02 AM
epriestleyPushed on Feb 18 2018, 1:46 AM
Differential Revision
D19117: Remove autodetection for whether links need "noreferrer"
Parents
rPHUe1f7cfefe880: Provide a streaming HTTP response parser
Branches
Unknown
Tags
Unknown
Build Status
Buildable 19619
Build 26559: Run Core Tests

Changes (5)

PathSize
src/
markup/
__tests__/
engine/
__tests__/
remarkup/
remarkup/
markuprule/

rPHUa0de1601cb60

View Options

src/markup/__tests__/PhutilMarkupTestCase.php

Loading...
View Options

src/markup/engine/__tests__/remarkup/link-noreferrer.txt

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupDocumentLinkRule.php

Loading...
View Options

src/markup/engine/remarkup/markuprule/PhutilRemarkupHyperlinkRule.php

Loading...
View Options

src/markup/render.php

Loading...
Phabricator ยท Built by Phacility