From de8936588c8c075968975bb9ceedce67bc193ea3 Mon Sep 17 00:00:00 2001
From: Andrew Ozz <admin@laptoptips.ca>
Date: Fri, 2 Mar 2018 14:42:31 +0000
Subject: [PATCH] Add pre-save content filter to make target=_blank always
 secure.

Props notnownikki, iseulde, azaozz
Fixes #43187
Built from https://develop.svn.wordpress.org/trunk@42770


git-svn-id: http://core.svn.wordpress.org/trunk@42600 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/default-filters.php | 15 ++++++++
 wp-includes/formatting.php      | 63 +++++++++++++++++++++++++++++++++
 wp-includes/version.php         |  2 +-
 3 files changed, 79 insertions(+), 1 deletion(-)

diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php
index 53f1d7b247..6b60625545 100644
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -104,6 +104,21 @@ foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pr
 	add_filter( $filter, 'balanceTags', 50 );
 }
 
+// Add proper rel values for links with target.
+foreach ( array(
+	'title_save_pre',
+	'content_save_pre',
+	'excerpt_save_pre',
+	'content_filtered_save_pre',
+	'pre_comment_content',
+	'pre_term_description',
+	'pre_link_description',
+	'pre_link_notes',
+	'pre_user_description',
+) as $filter ) {
+	add_filter( $filter, 'wp_targeted_link_rel' );
+};
+
 // Format strings for display.
 foreach ( array( 'comment_author', 'term_name', 'link_name', 'link_description', 'link_notes', 'bloginfo', 'wp_title', 'widget_title' ) as $filter ) {
 	add_filter( $filter, 'wptexturize' );
diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index c30a92c438..8b68c0e230 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -3023,6 +3023,69 @@ function wp_rel_nofollow_callback( $matches ) {
 	return "<a $text rel=\"$rel\">";
 }
 
+/**
+ * Adds rel noreferrer and noopener to all HTML A elements that have a target.
+ *
+ * @param string $text Content that may contain HTML A elements.
+ * @return string Converted content.
+ */
+function wp_targeted_link_rel( $text ) {
+	// Don't run (more expensive) regex if no links with targets.
+	if ( stripos( $text, 'target' ) !== false && stripos( $text, '<a ' ) !== false ) {
+		$text = preg_replace_callback( '|<a\s([^>]*target\s*=[^>]*)>|i', 'wp_targeted_link_rel_callback', $text );
+	}
+
+	return $text;
+}
+
+/**
+ * Callback to add rel="noreferrer noopener" string to HTML A element.
+ *
+ * Will not duplicate existing noreferrer and noopener values
+ * to prevent from invalidating the HTML.
+ *
+ * @param array $matches Single Match
+ * @return string HTML A Element with rel noreferrer noopener in addition to any existing values
+ */
+function wp_targeted_link_rel_callback( $matches ) {
+	$link_html = $matches[1];
+	$rel_match = array();
+
+	/**
+	 * Filters the rel values that are added to links with `target` attribute.
+	 *
+	 * @since 5.0.0
+	 *
+	 * @param string The rel values.
+	 * @param string $link_html The matched content of the link tag including all HTML attributes.
+	 */
+	$rel = apply_filters( 'wp_targeted_link_rel', 'noopener noreferrer', $link_html );
+
+	// Value with delimiters, spaces around are optional.
+	$attr_regex = '|rel\s*=\s*?(\\\\{0,1}["\'])(.*?)\\1|i';
+	preg_match( $attr_regex, $link_html, $rel_match );
+
+	if ( empty( $rel_match[0] ) ) {
+		// No delimiters, try with a single value and spaces, because `rel =  va"lue` is totally fine...
+		$attr_regex = '|rel\s*=(\s*)([^\s]*)|i';
+		preg_match( $attr_regex, $link_html, $rel_match );
+	}
+
+	if ( ! empty( $rel_match[0] ) ) {
+		$parts = preg_split( '|\s+|', strtolower( $rel_match[2] ) );
+		$parts = array_map( 'esc_attr', $parts );
+		$needed = explode( ' ', $rel );
+		$parts = array_unique( array_merge( $parts, $needed ) );
+		$delimiter = trim( $rel_match[1] ) ? $rel_match[1] : '"';
+		$rel = 'rel=' . $delimiter . trim( implode( ' ', $parts ) ) . $delimiter;
+		$link_html = str_replace( $rel_match[0], $rel, $link_html );
+	} else {
+		$link_html .= " rel=\"$rel\"";
+	}
+
+	return "<a $link_html>";
+}
+
 /**
  * Convert one smiley code to the icon graphic file equivalent.
  *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index fae5d4789e..2c90a89fc4 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.0-alpha-42769';
+$wp_version = '5.0-alpha-42770';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.