From df232ec96f0568c4a8659f73eba13642aed3bd3e Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 9 Jan 2019 18:00:47 +0000 Subject: [PATCH 1/1] Add noopener and noreferer to links in user generated content --- config/initializers/sanitize.rb | 2 +- lib/rich_text.rb | 4 ++-- test/lib/rich_text_test.rb | 16 ++++++++-------- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/config/initializers/sanitize.rb b/config/initializers/sanitize.rb index 240f1e315..c7b7b3326 100644 --- a/config/initializers/sanitize.rb +++ b/config/initializers/sanitize.rb @@ -1,5 +1,5 @@ Sanitize::Config::OSM = Sanitize::Config::RELAXED.dup Sanitize::Config::OSM[:elements] -= %w[div style] -Sanitize::Config::OSM[:add_attributes] = { "a" => { "rel" => "nofollow" } } +Sanitize::Config::OSM[:add_attributes] = { "a" => { "rel" => "nofollow noopener noreferer" } } Sanitize::Config::OSM[:remove_contents] = %w[script style] diff --git a/lib/rich_text.rb b/lib/rich_text.rb index 5b0faae2b..2b3e07d6a 100644 --- a/lib/rich_text.rb +++ b/lib/rich_text.rb @@ -61,9 +61,9 @@ module RichText def linkify(text, mode = :urls) if text.html_safe? - Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow")).html_safe + Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow noopener noreferer")).html_safe else - Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow")) + Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow noopener noreferer")) end end end diff --git a/test/lib/rich_text_test.rb b/test/lib/rich_text_test.rb index 74d396b68..e1603fb09 100644 --- a/test/lib/rich_text_test.rb +++ b/test/lib/rich_text_test.rb @@ -8,14 +8,14 @@ class RichTextTest < ActiveSupport::TestCase assert_html r do assert_select "a", 1 assert_select "a[href='http://example.com/']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("html", "foo bar baz") assert_html r do assert_select "a", 1 assert_select "a[href='http://example.com/']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("html", "foo example@example.com bar") @@ -27,7 +27,7 @@ class RichTextTest < ActiveSupport::TestCase assert_html r do assert_select "a", 1 assert_select "a[href='mailto:example@example.com']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("html", "foo
bar
baz") @@ -64,28 +64,28 @@ class RichTextTest < ActiveSupport::TestCase assert_html r do assert_select "a", 1 assert_select "a[href='http://example.com/']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("markdown", "foo [bar](http://example.com/) baz") assert_html r do assert_select "a", 1 assert_select "a[href='http://example.com/']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("markdown", "foo example@example.com bar") assert_html r do assert_select "a", 1 assert_select "a[href='mailto:example@example.com']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("markdown", "foo [bar](mailto:example@example.com) bar") assert_html r do assert_select "a", 1 assert_select "a[href='mailto:example@example.com']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("markdown", "foo ![bar](http://example.com/example.png) bar") @@ -162,7 +162,7 @@ class RichTextTest < ActiveSupport::TestCase assert_html r do assert_select "a", 1 assert_select "a[href='http://example.com/']", 1 - assert_select "a[rel='nofollow']", 1 + assert_select "a[rel='nofollow noopener noreferer']", 1 end r = RichText.new("text", "foo example@example.com bar") -- 2.43.2