}
}
+
+/**
+ * A custom HTMLPurifier transformation. Adds rel="noreferrer" to all links with target="_blank".
+ *
+ * @package core
+ * @copyright Cameron Ball
+ * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+class HTMLPurifier_AttrTransform_Noreferrer extends HTMLPurifier_AttrTransform {
+ /** @var HTMLPurifier_URIParser $parser */
+ private $parser;
+
+ /**
+ * Constructor.
+ */
+ public function __construct() {
+ $this->parser = new HTMLPurifier_URIParser();
+ }
+
+ /**
+ * Transforms a tags such that when a target attribute is present, rel="noreferrer" is added.
+ *
+ * Note that this will not respect Attr.AllowedRel
+ *
+ * @param array $attr Assoc array of attributes, usually from
+ * HTMLPurifier_Token_Tag::$attr
+ * @param HTMLPurifier_Config $config Mandatory HTMLPurifier_Config object.
+ * @param HTMLPurifier_Context $context Mandatory HTMLPurifier_Context object
+ * @return array Processed attribute array.
+ */
+ public function transform($attr, $config, $context) {
+ // Nothing to do If we already have noreferrer in the rel attribute
+ if (!empty($attr['rel']) && substr($attr['rel'], 'noreferrer') !== false) {
+ return $attr;
+ }
+
+ // If _blank target attribute exists, add rel=noreferrer
+ if (!empty($attr['target']) && $attr['target'] == '_blank') {
+ $attr['rel'] = !empty($attr['rel']) ? $attr['rel'] . ' noreferrer' : 'noreferrer';
+ }
+
+ return $attr;
+ }
+}
+
+/**
+ * A custom HTMLPurifier module to add rel="noreferrer" attributes a tags.
+ *
+ * @package core
+ * @copyright Cameron Ball
+ * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+class HTMLPurifier_HTMLModule_Noreferrer extends HTMLPurifier_HTMLModule {
+ /** @var string $name */
+ public $name = 'Noreferrer';
+
+ /**
+ * Module setup
+ *
+ * @param HTMLPurifier_Config $config
+ */
+ public function setup($config) {
+ $a = $this->addBlankElement('a');
+ $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Noreferrer();
+ }
+}
* Verify _blank target is allowed.
*/
public function test_allow_blank_target() {
+ // See MDL-52651 for an explanation as to why the rel="noreferrer" attribute is expected here.
+ // Also note we do not need to test links with an existing rel attribute as the HTML Purifier is configured to remove
+ // the rel attribute.
$text = '<a href="http://moodle.org" target="_blank">Some link</a>';
+ $expected = '<a href="http://moodle.org" target="_blank" rel="noreferrer">Some link</a>';
$result = format_text($text, FORMAT_HTML);
- $this->assertSame($text, $result);
+ $this->assertSame($expected, $result);
$result = format_text('<a href="http://moodle.org" target="some">Some link</a>', FORMAT_HTML);
$this->assertSame('<a href="http://moodle.org">Some link</a>', $result);
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.DefinitionID', 'moodlehtml');
- $config->set('HTML.DefinitionRev', 3);
+ $config->set('HTML.DefinitionRev', 4);
$config->set('Cache.SerializerPath', $cachedir);
$config->set('Cache.SerializerPermissions', $CFG->directorypermissions);
$config->set('Core.NormalizeNewlines', false);
// Use the built-in Ruby module to add annotation support.
$def->manager->addModule(new HTMLPurifier_HTMLModule_Ruby());
+
+ // Use the custom Noreferrer module.
+ $def->manager->addModule(new HTMLPurifier_HTMLModule_Noreferrer());
}
$purifier = new HTMLPurifier($config);
