WordPress.org

Make WordPress Core

Opened 2 months ago

Last modified 2 months ago

#46580 new enhancement

Is there a reason we add noopener noreferrer on all anchor tags with target=?

Reported by: heller_benjamin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 5.1
Component: General Keywords:
Focuses: Cc:

Description

<?php
/**
 * Adds rel noreferrer and noopener to all HTML A elements that have a target.
 *
 * @param string $text Content that may contain HTML A elements.
 * @return string Converted content.
 */
function wp_targeted_link_rel( $text ) {
        // Don't run (more expensive) regex if no links with targets.
        if ( stripos( $text, 'target' ) !== false && stripos( $text, '<a ' ) !== false ) {
                $text = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text );
        }

        return $text;
}

I have run into an issue with a Gutenberg block failed to validate because target="_self" is getting rel="noopener noreferrer" added. Is there a reason we cannot put a strpos conditional for "_blank" or something similar?

Change History (2)

#1 @birgire
2 months ago

Thanks for the ticket @heller_benjamin

I was also wondering about this yesterday, when looking into some unit-tests for tickets that use the function.

The function was introduced in #43187

I noticed that in blankshield the _top, _self and _parent are mentioned as safe targets.

It would be nice to see some more info on that and also what are the typical use cases for these browsing contexts, after the <frame> and <framesets> (but not <iframe>) have been deprecated in HTML5.

Here is some info on supported browser contexts in HTML5.

Last edited 2 months ago by birgire (previous) (diff)

#2 @heller_benjamin
2 months ago

I think they go largely unused. And to be honest, in the case I ran into it was only used to deal with some nuances of Gutenberg rather than for adding functionality.

I am not experienced with Angular but it apparently can be used to prevent full page reloads for Angular apps.

It's also interesting to see that the HTML specs allow for other values as well:
https://www.w3.org/TR/html53/browsers.html#browsing-context-name

Note: See TracTickets for help on using tickets.