General: Remove noreferrer from wp_targeted_link_rel() and other uses.

When `noopener noreferrer` was originally added in #37941 and related tickets, the `noreferrer` bit was specifically included due to Firefox not supporting `noopener` at the time.

Since `noopener` has been supported by all major browsers for a while, it should now be safe to remove the `noreferrer` attribute from core.

Props Mista-Flo, audrasjb, joostdevalk, jonoaldersonwp, peterwilsoncc, elgameel.
Fixes #49558.
Built from https://develop.svn.wordpress.org/trunk@49215


git-svn-id: http://core.svn.wordpress.org/trunk@48977 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Sergey Biryukov 2020-10-19 23:39:04 +00:00
parent caa75a04a8
commit 651f426b3a
12 changed files with 25 additions and 24 deletions

View File

@ -730,7 +730,7 @@ class WP_Site_Health {
) )
), ),
'actions' => sprintf( 'actions' => sprintf(
'<p><a href="%s" target="_blank" rel="noopener noreferrer">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>', '<p><a href="%s" target="_blank" rel="noopener">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
esc_url( wp_get_update_php_url() ), esc_url( wp_get_update_php_url() ),
__( 'Learn more about updating PHP' ), __( 'Learn more about updating PHP' ),
/* translators: Accessibility text. */ /* translators: Accessibility text. */
@ -842,7 +842,7 @@ class WP_Site_Health {
__( 'The WordPress Hosting Team maintains a list of those modules, both recommended and required, in <a href="%1$s" %2$s>the team handbook%3$s</a>.' ), __( 'The WordPress Hosting Team maintains a list of those modules, both recommended and required, in <a href="%1$s" %2$s>the team handbook%3$s</a>.' ),
/* translators: Localized team handbook, if one exists. */ /* translators: Localized team handbook, if one exists. */
esc_url( __( 'https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions' ) ), esc_url( __( 'https://make.wordpress.org/hosting/handbook/handbook/server-environment/#php-extensions' ) ),
'target="_blank" rel="noopener noreferrer"', 'target="_blank" rel="noopener"',
sprintf( sprintf(
' <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span>', ' <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span>',
/* translators: Accessibility text. */ /* translators: Accessibility text. */
@ -1159,7 +1159,7 @@ class WP_Site_Health {
__( 'The SQL server is a required piece of software for the database WordPress uses to store all your site&#8217;s content and settings.' ) __( 'The SQL server is a required piece of software for the database WordPress uses to store all your site&#8217;s content and settings.' )
), ),
'actions' => sprintf( 'actions' => sprintf(
'<p><a href="%s" target="_blank" rel="noopener noreferrer">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>', '<p><a href="%s" target="_blank" rel="noopener">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
/* translators: Localized version of WordPress requirements if one exists. */ /* translators: Localized version of WordPress requirements if one exists. */
esc_url( __( 'https://wordpress.org/about/requirements/' ) ), esc_url( __( 'https://wordpress.org/about/requirements/' ) ),
__( 'Learn more about what WordPress requires to run.' ), __( 'Learn more about what WordPress requires to run.' ),
@ -1396,7 +1396,7 @@ class WP_Site_Health {
); );
$result['actions'] = sprintf( $result['actions'] = sprintf(
'<p><a href="%s" target="_blank" rel="noopener noreferrer">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>', '<p><a href="%s" target="_blank" rel="noopener">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
/* translators: Localized Support reference. */ /* translators: Localized Support reference. */
esc_url( __( 'https://wordpress.org/support' ) ), esc_url( __( 'https://wordpress.org/support' ) ),
__( 'Get help resolving this issue.' ), __( 'Get help resolving this issue.' ),
@ -1434,7 +1434,7 @@ class WP_Site_Health {
__( 'Debug mode is often enabled to gather more details about an error or site failure, but may contain sensitive information which should not be available on a publicly available website.' ) __( 'Debug mode is often enabled to gather more details about an error or site failure, but may contain sensitive information which should not be available on a publicly available website.' )
), ),
'actions' => sprintf( 'actions' => sprintf(
'<p><a href="%s" target="_blank" rel="noopener noreferrer">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>', '<p><a href="%s" target="_blank" rel="noopener">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
/* translators: Documentation explaining debugging in WordPress. */ /* translators: Documentation explaining debugging in WordPress. */
esc_url( __( 'https://wordpress.org/support/article/debugging-in-wordpress/' ) ), esc_url( __( 'https://wordpress.org/support/article/debugging-in-wordpress/' ) ),
__( 'Learn more about debugging in WordPress.' ), __( 'Learn more about debugging in WordPress.' ),
@ -1503,7 +1503,7 @@ class WP_Site_Health {
__( 'An HTTPS connection is a more secure way of browsing the web. Many services now have HTTPS as a requirement. HTTPS allows you to take advantage of new features that can increase site speed, improve search rankings, and gain the trust of your visitors by helping to protect their online privacy.' ) __( 'An HTTPS connection is a more secure way of browsing the web. Many services now have HTTPS as a requirement. HTTPS allows you to take advantage of new features that can increase site speed, improve search rankings, and gain the trust of your visitors by helping to protect their online privacy.' )
), ),
'actions' => sprintf( 'actions' => sprintf(
'<p><a href="%s" target="_blank" rel="noopener noreferrer">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>', '<p><a href="%s" target="_blank" rel="noopener">%s <span class="screen-reader-text">%s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a></p>',
/* translators: Documentation explaining HTTPS and why it should be used. */ /* translators: Documentation explaining HTTPS and why it should be used. */
esc_url( __( 'https://wordpress.org/support/article/why-should-i-use-https/' ) ), esc_url( __( 'https://wordpress.org/support/article/why-should-i-use-https/' ) ),
__( 'Learn more about why you should use HTTPS' ), __( 'Learn more about why you should use HTTPS' ),

View File

@ -1761,7 +1761,7 @@ function wp_dashboard_php_nag() {
<p class="button-container"> <p class="button-container">
<?php <?php
printf( printf(
'<a class="button button-primary" href="%1$s" target="_blank" rel="noopener noreferrer">%2$s <span class="screen-reader-text">%3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a>', '<a class="button button-primary" href="%1$s" target="_blank" rel="noopener">%2$s <span class="screen-reader-text">%3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a>',
esc_url( wp_get_update_php_url() ), esc_url( wp_get_update_php_url() ),
__( 'Learn more about updating PHP' ), __( 'Learn more about updating PHP' ),
/* translators: Accessibility text. */ /* translators: Accessibility text. */

View File

@ -3216,7 +3216,7 @@ function edit_form_image_editor( $post ) {
/* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */ /* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */
__( '<a href="%1$s" %2$s>Describe the purpose of the image%3$s</a>. Leave empty if the image is purely decorative.' ), __( '<a href="%1$s" %2$s>Describe the purpose of the image%3$s</a>. Leave empty if the image is purely decorative.' ),
esc_url( 'https://www.w3.org/WAI/tutorials/images/decision-tree' ), esc_url( 'https://www.w3.org/WAI/tutorials/images/decision-tree' ),
'target="_blank" rel="noopener noreferrer"', 'target="_blank" rel="noopener"',
sprintf( sprintf(
'<span class="screen-reader-text"> %s</span>', '<span class="screen-reader-text"> %s</span>',
/* translators: Accessibility text. */ /* translators: Accessibility text. */

View File

@ -173,7 +173,7 @@ class Walker_Nav_Menu extends Walker {
$atts['title'] = ! empty( $item->attr_title ) ? $item->attr_title : ''; $atts['title'] = ! empty( $item->attr_title ) ? $item->attr_title : '';
$atts['target'] = ! empty( $item->target ) ? $item->target : ''; $atts['target'] = ! empty( $item->target ) ? $item->target : '';
if ( '_blank' === $item->target && empty( $item->xfn ) ) { if ( '_blank' === $item->target && empty( $item->xfn ) ) {
$atts['rel'] = 'noopener noreferrer'; $atts['rel'] = 'noopener';
} else { } else {
$atts['rel'] = $item->xfn; $atts['rel'] = $item->xfn;
} }

View File

@ -3647,7 +3647,7 @@ function wp_comments_personal_data_exporter( $email_address, $page = 1 ) {
case 'comment_link': case 'comment_link':
$value = get_comment_link( $comment->comment_ID ); $value = get_comment_link( $comment->comment_ID );
$value = sprintf( $value = sprintf(
'<a href="%s" target="_blank" rel="noreferrer noopener">%s</a>', '<a href="%s" target="_blank" rel="noopener">%s</a>',
esc_url( $value ), esc_url( $value ),
esc_html( $value ) esc_html( $value )
); );

View File

@ -3153,9 +3153,10 @@ function wp_rel_ugc( $text ) {
} }
/** /**
* Adds rel noreferrer and noopener to all HTML A elements that have a target. * Adds `rel="noopener"` to all HTML A elements that have a target.
* *
* @since 5.1.0 * @since 5.1.0
* @since 5.6.0 Removed 'noreferrer' relationship.
* *
* @param string $text Content that may contain HTML A elements. * @param string $text Content that may contain HTML A elements.
* @return string Converted content. * @return string Converted content.
@ -3188,15 +3189,15 @@ function wp_targeted_link_rel( $text ) {
} }
/** /**
* Callback to add rel="noreferrer noopener" string to HTML A element. * Callback to add `rel="noopener"` string to HTML A element.
* *
* Will not duplicate existing noreferrer and noopener values * Will not duplicate an existing 'noopener' value to avoid invalidating the HTML.
* to prevent from invalidating the HTML.
* *
* @since 5.1.0 * @since 5.1.0
* @since 5.6.0 Removed 'noreferrer' relationship.
* *
* @param array $matches Single Match * @param array $matches Single match.
* @return string HTML A Element with rel noreferrer noopener in addition to any existing values * @return string HTML A Element with `rel="noopener"` in addition to any existing values.
*/ */
function wp_targeted_link_rel_callback( $matches ) { function wp_targeted_link_rel_callback( $matches ) {
$link_html = $matches[1]; $link_html = $matches[1];
@ -3219,7 +3220,7 @@ function wp_targeted_link_rel_callback( $matches ) {
* @param string $rel The rel values. * @param string $rel The rel values.
* @param string $link_html The matched content of the link tag including all HTML attributes. * @param string $link_html The matched content of the link tag including all HTML attributes.
*/ */
$rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html ); $rel = apply_filters( 'wp_targeted_link_rel', 'noopener', $link_html );
// Return early if no rel values to be added or if no actual target attribute. // Return early if no rel values to be added or if no actual target attribute.
if ( ! $rel || ! isset( $atts['target'] ) ) { if ( ! $rel || ! isset( $atts['target'] ) ) {

View File

@ -7540,7 +7540,7 @@ function wp_direct_php_update_button() {
echo '<p class="button-container">'; echo '<p class="button-container">';
printf( printf(
'<a class="button button-primary" href="%1$s" target="_blank" rel="noopener noreferrer">%2$s <span class="screen-reader-text">%3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a>', '<a class="button button-primary" href="%1$s" target="_blank" rel="noopener">%2$s <span class="screen-reader-text">%3$s</span><span aria-hidden="true" class="dashicons dashicons-external"></span></a>',
esc_url( $direct_update_url ), esc_url( $direct_update_url ),
__( 'Update PHP' ), __( 'Update PHP' ),
/* translators: Accessibility text. */ /* translators: Accessibility text. */

View File

@ -160,7 +160,7 @@ function wp_print_media_templates() {
/* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */ /* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */
__( '<a href="%1$s" %2$s>Describe the purpose of the image%3$s</a>. Leave empty if the image is purely decorative.' ), __( '<a href="%1$s" %2$s>Describe the purpose of the image%3$s</a>. Leave empty if the image is purely decorative.' ),
esc_url( 'https://www.w3.org/WAI/tutorials/images/decision-tree' ), esc_url( 'https://www.w3.org/WAI/tutorials/images/decision-tree' ),
'target="_blank" rel="noopener noreferrer"', 'target="_blank" rel="noopener"',
sprintf( sprintf(
'<span class="screen-reader-text"> %s</span>', '<span class="screen-reader-text"> %s</span>',
/* translators: Accessibility text. */ /* translators: Accessibility text. */

View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.6-alpha-49214'; $wp_version = '5.6-alpha-49215';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

View File

@ -146,7 +146,7 @@ class WP_Widget_Custom_HTML extends WP_Widget {
/** This filter is documented in wp-includes/widgets/class-wp-widget-text.php */ /** This filter is documented in wp-includes/widgets/class-wp-widget-text.php */
$content = apply_filters( 'widget_text', $instance['content'], $simulated_text_widget_instance, $this ); $content = apply_filters( 'widget_text', $instance['content'], $simulated_text_widget_instance, $this );
// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target. // Adds 'noopener' relationship, without duplicating values, to all HTML A elements that have a target.
$content = wp_targeted_link_rel( $content ); $content = wp_targeted_link_rel( $content );
/** /**

View File

@ -331,7 +331,7 @@ class WP_Widget_Text extends WP_Widget {
$text = preg_replace_callback( '#<(video|iframe|object|embed)\s[^>]*>#i', array( $this, 'inject_video_max_width_style' ), $text ); $text = preg_replace_callback( '#<(video|iframe|object|embed)\s[^>]*>#i', array( $this, 'inject_video_max_width_style' ), $text );
// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target. // Adds 'noopener' relationship, without duplicating values, to all HTML A elements that have a target.
$text = wp_targeted_link_rel( $text ); $text = wp_targeted_link_rel( $text );
?> ?>

View File

@ -689,7 +689,7 @@ switch ( $action ) {
$accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) ); $accessibility_text = sprintf( '<span class="screen-reader-text"> %s</span>', __( '(opens in a new tab)' ) );
printf( printf(
'<a href="%s" rel="noopener noreferrer" target="_blank">%s%s</a>', '<a href="%s" rel="noopener" target="_blank">%s%s</a>',
esc_url( $admin_email_help_url ), esc_url( $admin_email_help_url ),
__( 'Why is this important?' ), __( 'Why is this important?' ),
$accessibility_text $accessibility_text
@ -1540,7 +1540,7 @@ switch ( $action ) {
for ( i in links ) { for ( i in links ) {
if ( links[i].href ) { if ( links[i].href ) {
links[i].target = '_blank'; links[i].target = '_blank';
links[i].rel = 'noreferrer noopener'; links[i].rel = 'noopener';
} }
} }
} catch( er ) {} } catch( er ) {}