WordPress.org
Get WordPress

Make WordPress Core

Changeset 41410


Ignore:
Timestamp:
09/19/2017 10:15:40 AM (8 years ago)
Author:
ocean90
Message:

Editor: Prevent adding javascript: and data: URLs through the inline link dialog.

Merge of [41393] to the 3.8 branch.

Location:
branches/3.8
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/3.8

  • branches/3.8/src/wp-includes/js/wplink.js

    r26418 r41410  
    166166            attrs = wpLink.getAttrs();
    167167
     168            var parser = document.createElement( 'a' );
     169            parser.href = attrs.href;
     170
     171            if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
     172                attrs.href = '';
     173            }
     174
    168175            // If there's no href, return.
    169176            if ( ! attrs.href || attrs.href == 'http://' )
     
    176183                html += ' title="' + attrs.title + '"';
    177184            if ( attrs.target )
    178                 html += ' target="' + attrs.target + '"';
     185                html += ' rel="noopener" target="' + attrs.target + '"';
    179186
    180187            html += '>';
     
    221228            tinyMCEPopup.restoreSelection();
    222229            e = ed.dom.getParent(ed.selection.getNode(), 'A');
     230
     231            var parser = document.createElement( 'a' );
     232            parser.href = attrs.href;
     233
     234            if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
     235                attrs.href = '';
     236            }
    223237
    224238            // If the values are empty, unlink and return
Note: See TracChangeset for help on using the changeset viewer.