Make WordPress Core


Ignore:
Timestamp:
11/03/2021 08:00:36 PM (3 years ago)
Author:
davidbaumwald
Message:

Comments: Add noopener noreferrer to author links in list table.

When viewing the listing of all comments, author links previously passed referrer information to untrusted URLs. This change adds noreferrer to each author link, as well as noopener to prevent the passing of information about the parent window.

Props cybr, adam3128, erayalakese, andraganescu, audrasjb, joedolson, sabernhardt. 
Fixes #40916.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-comments-list-table.php

    r51737 r52007  
    948948
    949949        if ( ! empty( $author_url_display ) ) {
    950             printf( '<a href="%s">%s</a><br />', esc_url( $author_url ), esc_html( $author_url_display ) );
     950            // Print link to author URL, and disallow referrer information (without using target="_blank").
     951            printf(
     952                '<a href="%s" rel="noopener noreferrer">%s</a><br />',
     953                esc_url( $author_url ),
     954                esc_html( $author_url_display )
     955            );
    951956        }
    952957
Note: See TracChangeset for help on using the changeset viewer.