WordPress.org

Make WordPress Core

Opened 15 months ago

Last modified 11 days ago

#37941 reopened defect (bug)

add rel="noopener noreferrer" to any target="_blank"

Reported by: Presskopp Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: needs-patch
Focuses: Cc:

Description

This is a following ticket to #36809

It's about making these links more secure where/when they are used.

see:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Attachments (1)

37941.diff (71.9 KB) - added by Presskopp 15 months ago.

Download all attachments as: .zip

Change History (9)

@Presskopp
15 months ago

#1 @Presskopp
15 months ago

  • Keywords has-patch added

Patch is simply adding it to any found instance.

I'm sure it needs more (or less) to be done,

but I don't know which php-files or js-files to touch, to generate this tags for each link with target="_blank" set.

Last edited 15 months ago by Presskopp (previous) (diff)

#2 @Presskopp
15 months ago

  • Keywords needs-patch added; has-patch removed

#3 @Ipstenu
15 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

This doesn't need to be a separate ticket at this time.

#36809 is just going to transmute from fix A to fix B :) Happens all the time.

#4 @swissspidy
15 months ago

  • Milestone Awaiting Review deleted
  • Version trunk deleted

#5 @kevinlangleyjr
11 months ago

  • Resolution duplicate deleted
  • Status changed from closed to reopened

Per comment https://core.trac.wordpress.org/ticket/36809#comment:15 and https://core.trac.wordpress.org/ticket/36809#comment:10, this should be a separate ticket and patch than the original ticket.

Reopening since I've added a patch for the other ticket, #36809, and this is still valid per the above mentioned comments.

#6 @SergeyBiryukov
9 months ago

  • Milestone set to Awaiting Review

#7 @swissspidy
5 months ago

#41061 was marked as a duplicate.

#8 @galbaras
11 days ago

Will this fix be covering the Links functions for backward compatibility? I have those on several sites.

Google Lighthouse is flagging this as "not best practice", which means that WordPress sites are likely having ranking points taken off for insecure external links.

Note: See TracTickets for help on using tickets.