WordPress.org
Get WordPress

Make WordPress Core

Changeset 41408 for branches/4.0


Ignore:
Timestamp:
09/19/2017 10:15:33 AM (8 years ago)
Author:
ocean90
Message:

Editor: Prevent adding javascript: and data: URLs through the inline link dialog.

Merge of [41393] to the 4.0 branch.

Location:
branches/4.0
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/4.0

  • branches/4.0/src/wp-includes/js/wplink.js

    r29335 r41408  
    207207            attrs = wpLink.getAttrs();
    208208
     209            var parser = document.createElement( 'a' );
     210            parser.href = attrs.href;
     211
     212            if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
     213                attrs.href = '';
     214            }
     215
    209216            // If there's no href, return.
    210217            if ( ! attrs.href || attrs.href == 'http://' )
     
    220227
    221228            if ( attrs.target ) {
    222                 html += ' target="' + attrs.target + '"';
     229                html += ' rel="noopener" target="' + attrs.target + '"';
    223230            }
    224231
     
    271278
    272279            link = editor.dom.getParent( editor.selection.getNode(), 'a[href]' );
     280
     281            var parser = document.createElement( 'a' );
     282            parser.href = attrs.href;
     283
     284            if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
     285                attrs.href = '';
     286            }
    273287
    274288            // If the values are empty, unlink and return
Note: See TracChangeset for help on using the changeset viewer.