WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 6 months ago

#40916 assigned enhancement

Add "noreferrer" to comments in dashboard

Reported by: Cybr Owned by: adam3128
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Comments Keywords: good-first-bug has-patch needs-testing 2nd-opinion
Focuses: administration Cc:

Description

Within /wp-admin/edit-comments.php, one might check out a posted link before verifying the comment's legitimacy.

While doing so, we're sending the linked site that their comment got through; plausibly opening yourself to complications.

Whatever the reason may be, I don't think we should give spammers any information.

To resolve this, simply add rel=noreferrer to those links.

Attachments (4)

class-wp-comments-list-table.diff (1.1 KB) - added by adam3128 6 months ago.
Conditional check for comment status. If not approved, add noreferrer to anchor tags shown on dashboard.
class-wp-comments-list-table-v2.diff (628 bytes) - added by adam3128 6 months ago.
Version 2 of solution with target blank and noopener
40916.diff (3.9 KB) - added by Cybr 6 months ago.
wp_unbind_links() function, attached to comments through JIT filter
class-wp-comments-list-table-v3.diff (963 bytes) - added by erayalakese 6 months ago.
A small modification to reduce code repeat

Download all attachments as: .zip

Change History (11)

#1 @johnbillion
6 months ago

  • Keywords needs-patch good-first-bug added
  • Version trunk deleted

@adam3128
6 months ago

Conditional check for comment status. If not approved, add noreferrer to anchor tags shown on dashboard.

#2 @adam3128
6 months ago

Hey guys,

First ticket I've contributed code towards the core for. Attached a diff file which I think resolves this issue.

Any issues, just let me know.

Hope this helps,

Adam

#3 @adam3128
6 months ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

#4 @Cybr
6 months ago

We might also wish to add target=_blank and add rel="noopener noreferrer" to optimize flow and prevent window hijacking thereof.

Ref: https://wordpress.org/support/topic/remove-rel-noopener-noreferrer-in-wordpress-4-7-4/#post-9057251

I think we shouldn't go away from the admin area in the first place, also.

@adam3128 I think the "approved" status check is redundant, even though it's a nice touch. Visitors comment for the front-end, after all.

@adam3128
6 months ago

Version 2 of solution with target blank and noopener

#5 @adam3128
6 months ago

  • Keywords 2nd-opinion removed

Hey @Cybr,

Thanks for the feedback above. That sounds good to me.

I've attached the new revision with your comments taken on board.

Any issues, just let me know.

Adam

@Cybr
6 months ago

wp_unbind_links() function, attached to comments through JIT filter

#6 @Cybr
6 months ago

  • Keywords needs-testing 2nd-opinion added

The file I've attached incorporates @adam3128's changes (author links).
Also including a filter that applies to all comments' contents on the wp-admin/edit-comments.php screen.

The filter catches all links through a new function (wp_unbind_links()) and removes all formats of target and rel attributes, finally replacing them with empty strings without fail. Even rel="something example'" gets caught.

From there it adds target=_blank rel="noopener noreferrer" to each found link.

The code has been tested and works on PHP 5.2.16 and PHP 7.1.5.

What needs to be determined is the placement of the filter.
i.e. Do we want to catch all new comments, all current comments, or only the comments on the said admin screen?

Last edited 6 months ago by Cybr (previous) (diff)

@erayalakese
6 months ago

A small modification to reduce code repeat

#7 @DrewAPicture
6 months ago

  • Owner set to adam3128
  • Status changed from new to assigned

Assigning ownership to mark the good-first-bug as "claimed".

Note: See TracTickets for help on using tickets.