Add rel="noopener noreferrer" wherever target="_blank" is used #7680
Conversation
bluefuton
added
[Status] Needs Review
| @@ -29,7 +29,7 @@ const ReaderAuthorLink = ( { author, post, siteUrl, children } ) => { | |||
| } | |||
|
|
|||
| return ( | |||
| <ExternalLink className="reader-author-link" href={ linkUrl } target="_blank" onClick={ recordAuthorClick }> | |||
| <ExternalLink className="reader-author-link" href={ linkUrl } target="_blank" rel="noopener noreferrer" onClick={ recordAuthorClick }> | |||
There was a problem hiding this comment.
The implementation of <ExternalLink /> is such that rel will be overridden and remove the noopener noreferrer:
To that end, if the purpose of external link is for linking externally, should we just add these values to the component itself?
There was a problem hiding this comment.
I had the same thought, but I'm not sure our new lint rule (Automattic/eslint-config-wpcalypso#2) is smart enough to figure that out :) Might mean peppering the code with eslint exception comments?
There was a problem hiding this comment.
As I suspected, the eslint rule is a bit of a blunt instrument. If we specify target="_blank" on an ExternalLink, the rule complains even though we are setting rel in the underlying component.
I've worked around the handful of cases with
eslint-disable react/jsx-no-target-blank
for the moment. Another way around this would be to introduce a new prop on ExternalLink (openInNewWindow or similar) that applies target inside the component.
aduth
added
[Status] Needs Author Reply
and removed
[Status] Needs Review
|
Todo:
|
bluefuton
force-pushed
the
fix/target-blank-vuln
branch
2 times, most recently
from
bad0bf4 to
3a740b3
Compare
bluefuton
added
[Status] Needs Review
bluefuton
force-pushed
the
fix/target-blank-vuln
branch
from
519772f to
08aedfd
Compare
|
Rebased and ready for 👀 |
| borderless: PropTypes.bool | ||
| borderless: PropTypes.bool, | ||
| target: PropTypes.string, | ||
| rel: PropTypes.string |
There was a problem hiding this comment.
Might be argued that these be included in the else block in render to push into omitProps for the button case, since they're not valid attributes for a button. This assumes someone renders as a button with rel and target but not href, which is unlikely, be "possible".
There was a problem hiding this comment.
Good call. Added in b88562b.
bluefuton
added
[Status] Needs Author Reply
and removed
[Status] Needs Review
bluefuton
force-pushed
the
fix/target-blank-vuln
branch
from
8848da9 to
1f9fca3
Compare
bluefuton
added
[Status] Needs Review
bluefuton
force-pushed
the
fix/target-blank-vuln
branch
from
b51c6e2 to
05522ce
Compare
|
Does this look good to go @aduth? Keeping on top of the conflicts is getting tricky as it touches so many files. I'll remove the |
| @@ -41,6 +42,10 @@ export default React.createClass( { | |||
| rel: 'external' | |||
| } ); | |||
|
|
|||
| if ( props.target ) { | |||
| props.rel = props.rel.concat( ' noopener noreferrer' ); | |||
There was a problem hiding this comment.
TIL String#concat. Then again, this could have just been props.rel += ' noopener noreferrer';
No need to change anything.
|
LGTM 👍 You may want to rebase once more locally and run |
aduth
added
[Status] Ready to Merge
and removed
[Status] Needs Review
bluefuton
force-pushed
the
fix/target-blank-vuln
branch
from
05522ce to
c7c5163
Compare
|
Thanks @aduth! I've just given it a final rebase and lint. 🚢 |
To address the
target="_blank"issue outlined here:https://dev.to/ben/the-targetblank-vulnerability-by-example
...this PR adds
rel="noopener noreferrer"to every external link usingtarget="_blank"in the Calypso codebase.We've also added an eslint rule (Automattic/eslint-config-wpcalypso#2) to flag any links using target="_blank" without the corresponding
relattribute.cc @aduth
Test live: https://calypso.live/?branch=fix/target-blank-vuln