Opened 6 years ago
Last modified 6 years ago
#46580 new enhancement
Is there a reason we add noopener noreferrer on all anchor tags with target=?
Reported by: | heller_benjamin | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | 5.1 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
<?php /** * Adds rel noreferrer and noopener to all HTML A elements that have a target. * * @param string $text Content that may contain HTML A elements. * @return string Converted content. */ function wp_targeted_link_rel( $text ) { // Don't run (more expensive) regex if no links with targets. if ( stripos( $text, 'target' ) !== false && stripos( $text, '<a ' ) !== false ) { $text = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text ); } return $text; }
I have run into an issue with a Gutenberg block failed to validate because target="_self" is getting rel="noopener noreferrer" added. Is there a reason we cannot put a strpos conditional for "_blank" or something similar?
Change History (2)
#2
@
6 years ago
I think they go largely unused. And to be honest, in the case I ran into it was only used to deal with some nuances of Gutenberg rather than for adding functionality.
I am not experienced with Angular but it apparently can be used to prevent full page reloads for Angular apps.
It's also interesting to see that the HTML specs allow for other values as well:
https://www.w3.org/TR/html53/browsers.html#browsing-context-name
Note: See
TracTickets for help on using
tickets.
Thanks for the ticket @heller_benjamin
I was also wondering about this yesterday, when looking into some unit-tests for tickets that use the function.
The function was introduced in #43187
I noticed that in blankshield the
_top
,_self
and_parent
are mentioned as safe targets.It would be nice to see some more info on that and also what are the typical use cases for these browsing contexts, after the
<frame>
and<framesets>
(but not<iframe>
) have been deprecated in HTML5.Here is some info on supported browser contexts in HTML5.