Skip to content

Commit 0943fa4

Browse files
ocean90ocean90
committed
Editor: Prevent adding javascript: and data: URLs through the inline link dialog.
Merge of [41393] to the 4.5 branch. git-svn-id: https://develop.svn.wordpress.org/branches/4.5@41403 602fd350-edb4-49c9-b593-d223f7449a82
1 parent d24e82c commit 0943fa4

File tree

2 files changed

+23
-2
lines changed

2 files changed

+23
-2
lines changed

src/wp-includes/js/tinymce/plugins/wplink/plugin.js

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
renderHtml: function() {
55
return (
66
'<div id="' + this._id + '" class="wp-link-preview">' +
7-
'<a href="' + this.url + '" target="_blank" tabindex="-1">' + this.url + '</a>' +
7+
'<a href="' + this.url + '" target="_blank" rel="noopener" tabindex="-1">' + this.url + '</a>' +
88
'</div>'
99
);
1010
},
@@ -217,6 +217,13 @@
217217
text = inputInstance.getLinkText();
218218
editor.focus();
219219

220+
var parser = document.createElement( 'a' );
221+
parser.href = href;
222+
223+
if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
224+
href = '';
225+
}
226+
220227
if ( ! href ) {
221228
editor.dom.remove( linkNode, true );
222229
return;

src/wp-includes/js/wplink.js

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -313,7 +313,7 @@ var wpLink;
313313
var html = '<a href="' + attrs.href + '"';
314314

315315
if ( attrs.target ) {
316-
html += ' target="' + attrs.target + '"';
316+
html += ' rel="noopener" target="' + attrs.target + '"';
317317
}
318318

319319
return html + '>';
@@ -338,6 +338,13 @@ var wpLink;
338338
attrs = wpLink.getAttrs();
339339
text = inputs.text.val();
340340

341+
var parser = document.createElement( 'a' );
342+
parser.href = attrs.href;
343+
344+
if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
345+
attrs.href = '';
346+
}
347+
341348
// If there's no href, return.
342349
if ( ! attrs.href ) {
343350
return;
@@ -395,6 +402,13 @@ var wpLink;
395402
editor.windowManager.wplinkBookmark = null;
396403
}
397404

405+
var parser = document.createElement( 'a' );
406+
parser.href = attrs.href;
407+
408+
if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
409+
attrs.href = '';
410+
}
411+
398412
if ( ! attrs.href ) {
399413
editor.execCommand( 'unlink' );
400414
wpLink.close();

0 commit comments

Comments
 (0)