WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#53839 new enhancement

Add rel="noopener" to output of wp_list_bookmarks() when target is set to "_blank"

Reported by: tw2113 Owned by:
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

To help aid in hardening WordPress and the web as a whole, it became a best practice to add noopener to the rel attribute for links that have a target of _blank.

I have provided the following patch to add this noopener value to the rel attributes on the output of wp_list_bookmarks() instances, when a link has a _blank target value.

Attachments (3)

53839-noopener-on-blogroll-links.diff (658 bytes) - added by tw2113 3 months ago.
53839-noopener-on-blogroll-links.2.diff (726 bytes) - added by tw2113 3 months ago.
53839.patch (960 bytes) - added by mukesh27 3 months ago.

Download all attachments as: .zip

Change History (12)

#1 @SergeyBiryukov
3 months ago

  • Milestone changed from Awaiting Review to 5.9

#2 @birgire
3 months ago

Sounds good.

Isnt it possible to have duplication of noopener with patch?

I just wonder about the edge case where rel is already noopener.

#3 follow-up: @tw2113
3 months ago

@birgire Definitely willing and able to add in an array_unique() or in_array() check.

Since you mentioned it, I think it is possible to key in your own rel values.

Correction, the field is readonly. So the only way someone would get to the rel tag would be through the wp_list_bookmarks filter which is after constructing the entire list.

Last edited 3 months ago by tw2113 (previous) (diff)

#4 in reply to: ↑ 3 @birgire
3 months ago

Replying to tw2113:

Thanks for checking, prev. I just had a quick look at the link insert function that allows to insert rel data

https://developer.wordpress.org/reference/functions/wp_insert_link/

since Im travelling with a mobile unable to dig deep ☺

#5 @tw2113
3 months ago

Will check that out and see what can be done. Thanks.

#6 @tw2113
3 months ago

I'm doubtful we're going to run in to too many issues with wp_insert_link() but that said, I have amended the patch to do an in_array() check first before inserting.

#7 @SergeyBiryukov
3 months ago

Related: #53843

Version 0, edited 3 months ago by SergeyBiryukov (next)

@mukesh27
3 months ago

#8 @mukesh27
3 months ago

Patch 53839.patch remove bottom additional target checking.

#9 @SergeyBiryukov
3 months ago

Thanks for the patches!

I think 53839.patch would be preferable here, as it adds noopener to any link with a target attribute, rather than _blank specifically, which seems more consistent with wp_targeted_link_rel().

Some unit tests for this would be great. They could draw inspiration from the wp_targeted_link_rel() tests. They could be for either _walk_bookmarks() or wp_list_bookmarks() function, and be placed under tests/bookmarks/.

Note: See TracTickets for help on using tickets.