From 651f426b3ac3f711fa24de2a1ae5bd0e52f43c3e Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Mon, 19 Oct 2020 23:39:04 +0000 Subject: [PATCH] General: Remove `noreferrer` from `wp_targeted_link_rel()` and other uses. When `noopener noreferrer` was originally added in #37941 and related tickets, the `noreferrer` bit was specifically included due to Firefox not supporting `noopener` at the time. Since `noopener` has been supported by all major browsers for a while, it should now be safe to remove the `noreferrer` attribute from core. Props Mista-Flo, audrasjb, joostdevalk, jonoaldersonwp, peterwilsoncc, elgameel. Fixes #49558. Built from https://develop.svn.wordpress.org/trunk@49215 git-svn-id: http://core.svn.wordpress.org/trunk@48977 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/class-wp-site-health.php | 12 ++++++------ wp-admin/includes/dashboard.php | 2 +- wp-admin/includes/media.php | 2 +- wp-includes/class-walker-nav-menu.php | 2 +- wp-includes/comment.php | 2 +- wp-includes/formatting.php | 15 ++++++++------- wp-includes/functions.php | 2 +- wp-includes/media-template.php | 2 +- wp-includes/version.php | 2 +- .../widgets/class-wp-widget-custom-html.php | 2 +- wp-includes/widgets/class-wp-widget-text.php | 2 +- wp-login.php | 4 ++-- 12 files changed, 25 insertions(+), 24 deletions(-) diff --git a/wp-admin/includes/class-wp-site-health.php b/wp-admin/includes/class-wp-site-health.php index aa9d794095..dce08eba0d 100644 --- a/wp-admin/includes/class-wp-site-health.php +++ b/wp-admin/includes/class-wp-site-health.php @@ -730,7 +730,7 @@ class WP_Site_Health { ) ), 'actions' => sprintf( - '

%s %s

', + '

%s %s

', esc_url( wp_get_update_php_url() ), __( 'Learn more about updating PHP' ), /* translators: Accessibility text. */ @@ -842,7 +842,7 @@ class WP_Site_Health { __( 'The WordPress Hosting Team maintains a list of those modules, both recommended and required, in the team handbook%3$s.' ), /* translators: Localized team handbook, if one exists. */ esc_url( __( 'https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions' ) ), - 'target="_blank" rel="noopener noreferrer"', + 'target="_blank" rel="noopener"', sprintf( ' %s', /* translators: Accessibility text. */ @@ -1159,7 +1159,7 @@ class WP_Site_Health { __( 'The SQL server is a required piece of software for the database WordPress uses to store all your site’s content and settings.' ) ), 'actions' => sprintf( - '

%s %s

', + '

%s %s

', /* translators: Localized version of WordPress requirements if one exists. */ esc_url( __( 'https://wordpress.org/about/requirements/' ) ), __( 'Learn more about what WordPress requires to run.' ), @@ -1396,7 +1396,7 @@ class WP_Site_Health { ); $result['actions'] = sprintf( - '

%s %s

', + '

%s %s

', /* translators: Localized Support reference. */ esc_url( __( 'https://wordpress.org/support' ) ), __( 'Get help resolving this issue.' ), @@ -1434,7 +1434,7 @@ class WP_Site_Health { __( 'Debug mode is often enabled to gather more details about an error or site failure, but may contain sensitive information which should not be available on a publicly available website.' ) ), 'actions' => sprintf( - '

%s %s

', + '

%s %s

', /* translators: Documentation explaining debugging in WordPress. */ esc_url( __( 'https://wordpress.org/support/article/debugging-in-wordpress/' ) ), __( 'Learn more about debugging in WordPress.' ), @@ -1503,7 +1503,7 @@ class WP_Site_Health { __( 'An HTTPS connection is a more secure way of browsing the web. Many services now have HTTPS as a requirement. HTTPS allows you to take advantage of new features that can increase site speed, improve search rankings, and gain the trust of your visitors by helping to protect their online privacy.' ) ), 'actions' => sprintf( - '

%s %s

', + '

%s %s

', /* translators: Documentation explaining HTTPS and why it should be used. */ esc_url( __( 'https://wordpress.org/support/article/why-should-i-use-https/' ) ), __( 'Learn more about why you should use HTTPS' ), diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index 971a60d77b..d63971c1a2 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -1761,7 +1761,7 @@ function wp_dashboard_php_nag() {

%2$s %3$s', + '%2$s %3$s', esc_url( wp_get_update_php_url() ), __( 'Learn more about updating PHP' ), /* translators: Accessibility text. */ diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index e9c0815c85..3650e2cb29 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -3216,7 +3216,7 @@ function edit_form_image_editor( $post ) { /* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */ __( 'Describe the purpose of the image%3$s. Leave empty if the image is purely decorative.' ), esc_url( 'https://www.w3.org/WAI/tutorials/images/decision-tree' ), - 'target="_blank" rel="noopener noreferrer"', + 'target="_blank" rel="noopener"', sprintf( ' %s', /* translators: Accessibility text. */ diff --git a/wp-includes/class-walker-nav-menu.php b/wp-includes/class-walker-nav-menu.php index 66ba424da4..1b7b4060a8 100644 --- a/wp-includes/class-walker-nav-menu.php +++ b/wp-includes/class-walker-nav-menu.php @@ -173,7 +173,7 @@ class Walker_Nav_Menu extends Walker { $atts['title'] = ! empty( $item->attr_title ) ? $item->attr_title : ''; $atts['target'] = ! empty( $item->target ) ? $item->target : ''; if ( '_blank' === $item->target && empty( $item->xfn ) ) { - $atts['rel'] = 'noopener noreferrer'; + $atts['rel'] = 'noopener'; } else { $atts['rel'] = $item->xfn; } diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 49611147f5..ac37540be0 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -3647,7 +3647,7 @@ function wp_comments_personal_data_exporter( $email_address, $page = 1 ) { case 'comment_link': $value = get_comment_link( $comment->comment_ID ); $value = sprintf( - '%s', + '%s', esc_url( $value ), esc_html( $value ) ); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index a0c2eda313..7d0becd68f 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -3153,9 +3153,10 @@ function wp_rel_ugc( $text ) { } /** - * Adds rel noreferrer and noopener to all HTML A elements that have a target. + * Adds `rel="noopener"` to all HTML A elements that have a target. * * @since 5.1.0 + * @since 5.6.0 Removed 'noreferrer' relationship. * * @param string $text Content that may contain HTML A elements. * @return string Converted content. @@ -3188,15 +3189,15 @@ function wp_targeted_link_rel( $text ) { } /** - * Callback to add rel="noreferrer noopener" string to HTML A element. + * Callback to add `rel="noopener"` string to HTML A element. * - * Will not duplicate existing noreferrer and noopener values - * to prevent from invalidating the HTML. + * Will not duplicate an existing 'noopener' value to avoid invalidating the HTML. * * @since 5.1.0 + * @since 5.6.0 Removed 'noreferrer' relationship. * - * @param array $matches Single Match - * @return string HTML A Element with rel noreferrer noopener in addition to any existing values + * @param array $matches Single match. + * @return string HTML A Element with `rel="noopener"` in addition to any existing values. */ function wp_targeted_link_rel_callback( $matches ) { $link_html = $matches[1]; @@ -3219,7 +3220,7 @@ function wp_targeted_link_rel_callback( $matches ) { * @param string $rel The rel values. * @param string $link_html The matched content of the link tag including all HTML attributes. */ - $rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html ); + $rel = apply_filters( 'wp_targeted_link_rel', 'noopener', $link_html ); // Return early if no rel values to be added or if no actual target attribute. if ( ! $rel || ! isset( $atts['target'] ) ) { diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 8b36b9b09b..16e65807e6 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -7540,7 +7540,7 @@ function wp_direct_php_update_button() { echo '

'; printf( - '%2$s %3$s', + '%2$s %3$s', esc_url( $direct_update_url ), __( 'Update PHP' ), /* translators: Accessibility text. */ diff --git a/wp-includes/media-template.php b/wp-includes/media-template.php index af418dd2e7..c2b87b28af 100644 --- a/wp-includes/media-template.php +++ b/wp-includes/media-template.php @@ -160,7 +160,7 @@ function wp_print_media_templates() { /* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */ __( 'Describe the purpose of the image%3$s. Leave empty if the image is purely decorative.' ), esc_url( 'https://www.w3.org/WAI/tutorials/images/decision-tree' ), - 'target="_blank" rel="noopener noreferrer"', + 'target="_blank" rel="noopener"', sprintf( ' %s', /* translators: Accessibility text. */ diff --git a/wp-includes/version.php b/wp-includes/version.php index 0459d9639f..4902e914c6 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.6-alpha-49214'; +$wp_version = '5.6-alpha-49215'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-includes/widgets/class-wp-widget-custom-html.php b/wp-includes/widgets/class-wp-widget-custom-html.php index 8412a4d371..0e25dd6b15 100644 --- a/wp-includes/widgets/class-wp-widget-custom-html.php +++ b/wp-includes/widgets/class-wp-widget-custom-html.php @@ -146,7 +146,7 @@ class WP_Widget_Custom_HTML extends WP_Widget { /** This filter is documented in wp-includes/widgets/class-wp-widget-text.php */ $content = apply_filters( 'widget_text', $instance['content'], $simulated_text_widget_instance, $this ); - // Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target. + // Adds 'noopener' relationship, without duplicating values, to all HTML A elements that have a target. $content = wp_targeted_link_rel( $content ); /** diff --git a/wp-includes/widgets/class-wp-widget-text.php b/wp-includes/widgets/class-wp-widget-text.php index c653e1b4eb..642e075d1a 100644 --- a/wp-includes/widgets/class-wp-widget-text.php +++ b/wp-includes/widgets/class-wp-widget-text.php @@ -331,7 +331,7 @@ class WP_Widget_Text extends WP_Widget { $text = preg_replace_callback( '#<(video|iframe|object|embed)\s[^>]*>#i', array( $this, 'inject_video_max_width_style' ), $text ); - // Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target. + // Adds 'noopener' relationship, without duplicating values, to all HTML A elements that have a target. $text = wp_targeted_link_rel( $text ); ?> diff --git a/wp-login.php b/wp-login.php index 46700c975f..143b3e1da0 100644 --- a/wp-login.php +++ b/wp-login.php @@ -689,7 +689,7 @@ switch ( $action ) { $accessibility_text = sprintf( ' %s', __( '(opens in a new tab)' ) ); printf( - '%s%s', + '%s%s', esc_url( $admin_email_help_url ), __( 'Why is this important?' ), $accessibility_text @@ -1540,7 +1540,7 @@ switch ( $action ) { for ( i in links ) { if ( links[i].href ) { links[i].target = '_blank'; - links[i].rel = 'noreferrer noopener'; + links[i].rel = 'noopener'; } } } catch( er ) {}