WordPress.org

Make WordPress Core

Opened 7 weeks ago

Closed 2 weeks ago

#46421 closed defect (bug) (fixed)

rel="noopener noreferrer" should be added to links with target="_blank" which are in text and HTML widgets

Reported by: mark-k Owned by: audrasjb
Milestone: 5.2 Priority: normal
Severity: normal Version: 5.1
Component: Widgets Keywords: has-patch has-unit-tests commit
Focuses: Cc:

Description

From inspecting the code related to #43187 it seems like links in all of the content that should open in new window get the rel="noopener noreferrer" attribute, but it leaves the text and HTML widgets with no such treatment. IMHO it needs to happen in that context as well.

Attachments (2)

46421.diff (1.4 KB) - added by audrasjb 5 weeks ago.
Add rel noopener/noreferrer to both Widgets Text and Custom HTML
46421-2.diff (4.9 KB) - added by birgire 5 weeks ago.

Download all attachments as: .zip

Change History (14)

#1 @audrasjb
6 weeks ago

  • Component changed from General to Widgets
  • Owner set to audrasjb
  • Status changed from new to reviewing

#2 @audrasjb
5 weeks ago

  • Milestone changed from Awaiting Review to 5.2
  • Status changed from reviewing to accepted

@audrasjb
5 weeks ago

Add rel noopener/noreferrer to both Widgets Text and Custom HTML

#3 @audrasjb
5 weeks ago

  • Keywords has-patch 2nd-opinion added

46421.diff adds rel noopener/noreferrer attribute to both Text and Custom HTML widgets.

I propose to use the existing function wp_targeted_link_rel() which is located and documented in wp-inludes/formatting.php.

The patch works fine on my side for both Text and Custom HTML widgets.

#4 @mukesh27
5 weeks ago

@audrasjb, 46421.diff patch working fine for me in both the widgets.

Below HTML code is tested in both the widgets.

Code:

<a href="https://wordpress.org/" target="_blank">WordPress</a>
<a href="https://wordpress.org/" target="_top">WordPress</a>
<a href="https://wordpress.org/" target="_self">WordPress</a>
<a href="https://wordpress.org/" target="" rel="noopener">WordPress</a>
<a href="https://wordpress.org/" target="" rel="noreferrer">WordPress</a>
<a href="https://wordpress.org/" target="" rel="noreferrer noopener">WordPress</a>
<a href="https://wordpress.org/" rel="noreferrer noopener">WordPress</a>

Result:

<a href="https://wordpress.org/" target="_blank" rel="noopener noreferrer">WordPress</a>
<a href="https://wordpress.org/" target="_top" rel="noopener noreferrer">WordPress</a>
<a href="https://wordpress.org/" target="_self" rel="noopener noreferrer">WordPress</a>
<a href="https://wordpress.org/" target="" rel="noopener noreferrer">WordPress</a>
<a href="https://wordpress.org/" target="" rel="noreferrer noopener">WordPress</a>
<a href="https://wordpress.org/" target="" rel="noreferrer noopener">WordPress</a>
<a href="https://wordpress.org/" rel="noreferrer noopener">WordPress</a>

Can we change docs for function wp_targeted_link_rel() in both widget?

// Adds rel noreferrer and noopener to all HTML A elements that have a target.

something

// Adds rel noreferrer and noopener to all HTML A elements that have a target in addition to any existing values.

#5 @birgire
5 weeks ago

  • Keywords has-unit-tests added

46421-2.diff adds the following test cases:

  • Ensure that rel="noopener noreferrer" is added to links with a target in the output of the Text widget.
  • Ensure these relationships are not added to links without a target in the output of the Text widget.
  • Ensure that rel="noopener noreferrer" is added to links with a target in the output of the Custom HTML widget.
  • Ensure these relationships are not added to links without a target in the output of the Custom HTML widget.

@mukesh27 I guess you mean to make it clear that adding these relationships, is not causing any duplication.

I modified your suggestion to:

// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target.

in 46421-2.diff.

What do you think about this modified inline comment version?

@birgire
5 weeks ago

#6 @birgire
5 weeks ago

Another suggestion of the inline comment could be:

// Adds noreferrer and noopener relationships, without duplicating values, to all anchor tags that have a target attribute.

#7 @mukesh27
5 weeks ago

@birgire patch 46421-2.diff inline comment suggestion look good for me.

@audrasjb can you please review patch and inline comment text.

#8 @audrasjb
5 weeks ago

  • Keywords commit added; 2nd-opinion removed

Tested on my side and 46421-2.diff looks great. Thanks for the patch and the unit-tests @birgire !
Adding commit keyword.

#9 follow-up: @afercia
5 weeks ago

One thing to discuss is the actual usefulness of noreferrer:

  • it was used to support old browsers that had no support for noopener
  • seems redundant after [41741] see #42036

#10 in reply to: ↑ 9 @audrasjb
5 weeks ago

Replying to afercia:

One thing to discuss is the actual usefulness of noreferrer:

  • it was used to support old browsers that had no support for noopener
  • seems redundant after [41741] see #42036

As mentionned on #43280 I think both of the rel attributes should be added, in order to keep some consistency with https://developer.wordpress.org/reference/functions/wp_targeted_link_rel/

If we want to remove noreferrer, I believe we should remove it from that function first ;)

Last edited 5 weeks ago by audrasjb (previous) (diff)

#12 @pento
2 weeks ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 45143:

Widgets: Add rel="noopener noreferrer" to links with target="_blank" in the Text and HTML widgets.

Props audrasjb, birgire, mukesh27.
Fixes #46421.

Note: See TracTickets for help on using tickets.