Make WordPress Core

Changeset 41411


Ignore:
Timestamp:
09/19/2017 10:15:44 AM (7 years ago)
Author:
ocean90
Message:

Editor: Prevent adding javascript: and data: URLs through the inline link dialog.

Merge of [41393] to the 3.7 branch.

Location:
branches/3.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/js/wplink.js

    r25748 r41411  
    165165            attrs = wpLink.getAttrs();
    166166
     167            var parser = document.createElement( 'a' );
     168            parser.href = attrs.href;
     169
     170            if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
     171                attrs.href = '';
     172            }
     173
    167174            // If there's no href, return.
    168175            if ( ! attrs.href || attrs.href == 'http://' )
     
    175182                html += ' title="' + attrs.title + '"';
    176183            if ( attrs.target )
    177                 html += ' target="' + attrs.target + '"';
     184                html += ' rel="noopener" target="' + attrs.target + '"';
    178185
    179186            html += '>';
     
    221228            tinyMCEPopup.restoreSelection();
    222229            e = ed.dom.getParent(ed.selection.getNode(), 'A');
     230
     231            var parser = document.createElement( 'a' );
     232            parser.href = attrs.href;
     233
     234            if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
     235                attrs.href = '';
     236            }
    223237
    224238            // If the values are empty, unlink and return
Note: See TracChangeset for help on using the changeset viewer.