WordPress.org

Make WordPress Core

Opened 17 months ago

Last modified 10 days ago

#37941 reopened enhancement

add rel="noopener noreferrer" to any target="_blank"

Reported by: Presskopp Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: good-first-bug has-patch
Focuses: Cc:

Description

This is a following ticket to #36809

It's about making these links more secure where/when they are used.

see:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Attachments (2)

37941.diff (71.9 KB) - added by Presskopp 17 months ago.
37941.2.diff (4.2 KB) - added by nicola.peluchetti 3 weeks ago.

Download all attachments as: .zip

Change History (18)

@Presskopp
17 months ago

#1 @Presskopp
17 months ago

  • Keywords has-patch added

Patch is simply adding it to any found instance.

I'm sure it needs more (or less) to be done,

but I don't know which php-files or js-files to touch, to generate this tags for each link with target="_blank" set.

Last edited 17 months ago by Presskopp (previous) (diff)

#2 @Presskopp
17 months ago

  • Keywords needs-patch added; has-patch removed

#3 @Ipstenu
17 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

This doesn't need to be a separate ticket at this time.

#36809 is just going to transmute from fix A to fix B :) Happens all the time.

#4 @swissspidy
17 months ago

  • Milestone Awaiting Review deleted
  • Version trunk deleted

#5 @kevinlangleyjr
13 months ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

Per comment https://core.trac.wordpress.org/ticket/36809#comment:15 and https://core.trac.wordpress.org/ticket/36809#comment:10, this should be a separate ticket and patch than the original ticket.

Reopening since I've added a patch for the other ticket, #36809, and this is still valid per the above mentioned comments.

#6 @SergeyBiryukov
11 months ago

  • Milestone set to Awaiting Review

#7 @swissspidy
7 months ago

#41061 was marked as a duplicate.

#8 @galbaras
2 months ago

Will this fix be covering the Links functions for backward compatibility? I have those on several sites.

Google Lighthouse is flagging this as "not best practice", which means that WordPress sites are likely having ranking points taken off for insecure external links.

#9 @iandunn
2 months ago

  • Component changed from General to Security
  • Keywords good-first-bug added
  • Type changed from defect (bug) to enhancement

This ticket was mentioned in Slack in #core by canepa. View the logs.


5 weeks ago

#11 @Presskopp
5 weeks ago

I want to report that if you add a link to the toolbar like so

$args = array(
...
'href'   => 'https://example.com',
'meta'   => array(
...
'target' => '_blank',
...
// Add link
$wp_admin_bar->add_node($args);

it will not have these attributes..

#12 @nicola.peluchetti
3 weeks ago

@iandunn I added a patch to fix

$wp_admin_bar->add_node

behaviour so that, when adding a link with 'target' => '_blank', it will add 'noopener noreferrer' to the rel ( creating it if it doesn't exists ).

#13 @galbaras
2 weeks ago

Awesome! Will this fix be covering the old Links functions for backward compatibility?

#14 @nicola.peluchetti
2 weeks ago

@galbaras what do you mean as "Old links function"?I've posted a fix for $wp_admin_bar->add_node($args); while the original patch addresses issues in html links. Can you try to use both and see if it fixes your issues?If it doesn't, just add the issue here with an explanation

#15 @swissspidy
2 weeks ago

I guess they mean the old Link Manager. That one is deprecated though, so it won‘t get any updates.

#16 @nicola.peluchetti
10 days ago

  • Keywords has-patch added; needs-patch removed
Note: See TracTickets for help on using tickets.