Widgets: Add rel="noopener noreferrer" to links with target="_blank" in the Text and HTML widgets.

Props audrasjb, birgire, mukesh27. Fixes #46421. git-svn-id: https://develop.svn.wordpress.org/trunk@45143 602fd350-edb4-49c9-b593-d223f7449a82
2019-04-08 23:17:35 +00:00 · 2019-04-08 23:17:35 +00:00 · 5dfdc9b9c4
commit 5dfdc9b9c4
parent 0f75356246
4 changed files with 113 additions and 0 deletions
--- a/src/wp-includes/widgets/class-wp-widget-custom-html.php
+++ b/src/wp-includes/widgets/class-wp-widget-custom-html.php
@ -143,6 +143,9 @@ class WP_Widget_Custom_HTML extends WP_Widget {
 		/** This filter is documented in wp-includes/widgets/class-wp-widget-text.php */
 		$content = apply_filters( 'widget_text', $instance['content'], $simulated_text_widget_instance, $this );

+		// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target.
+		$content = wp_targeted_link_rel( $content );
+
 		/**
 		 * Filters the content of the Custom HTML widget.
 		 *
--- a/src/wp-includes/widgets/class-wp-widget-text.php
+++ b/src/wp-includes/widgets/class-wp-widget-text.php
@ -328,6 +328,9 @@ class WP_Widget_Text extends WP_Widget {

 		$text = preg_replace_callback( '#<(video|iframe|object|embed)\s[^>]*>#i', array( $this, 'inject_video_max_width_style' ), $text );

+		// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target.
+		$text = wp_targeted_link_rel( $text );
+
 		?>
 			<div class="textwidget"><?php echo $text; ?></div>
 		<?php
--- a/tests/phpunit/tests/widgets/custom-html-widget.php
+++ b/tests/phpunit/tests/widgets/custom-html-widget.php
@ -302,4 +302,57 @@ class Test_WP_Widget_Custom_HTML extends WP_UnitTestCase {

 		$this->assertContains( 'Use the Custom HTML widget to add arbitrary HTML code to your widget areas.', $help_tab['content'] );
 	}
+
+	/**
+	 * Ensure that rel="noopener noreferrer" is added to links with a target.
+	 *
+	 * @ticket 46421
+	 */
+	function test_render_links_with_target() {
+		$widget = new WP_Widget_Custom_HTML();
+
+		$content = 'Test content with an external <a href="https://example.org" target="_blank">link</a>.';
+
+		$args = array(
+			'before_title'  => '<h2>',
+			'after_title'   => '</h2>',
+			'before_widget' => '',
+			'after_widget'  => '',
+		);
+
+		$instance = array(
+			'title'   => 'Foo',
+			'content' => $content,
+		);
+
+		$output = get_echo( array( $widget, 'widget' ), array( $args, $instance ) );
+		$this->assertContains( 'rel="noopener noreferrer"', $output );
+	}
+
+	/**
+	 * Ensure that rel="noopener noreferrer" is not added to links without a target.
+	 *
+	 * @ticket 46421
+	 */
+	function test_render_links_without_target() {
+		$widget = new WP_Widget_Custom_HTML();
+
+		$content = 'Test content with an internal <a href="/">link</a>.';
+
+		$args = array(
+			'before_title'  => '<h2>',
+			'after_title'   => '</h2>',
+			'before_widget' => '',
+			'after_widget'  => '',
+		);
+
+		$instance = array(
+			'title'   => 'Foo',
+			'content' => $content,
+		);
+
+		$output = get_echo( array( $widget, 'widget' ), array( $args, $instance ) );
+		$this->assertNotContains( 'rel="noopener noreferrer"', $output );
+	}
+
 }
--- a/tests/phpunit/tests/widgets/text-widget.php
+++ b/tests/phpunit/tests/widgets/text-widget.php
@ -1001,4 +1001,58 @@ class Test_WP_Widget_Text extends WP_UnitTestCase {

 		$this->assertContains( '<script type="text/html" id="tmpl-widget-text-control-fields">', $output );
 	}
+
+	/**
+	 * Ensure that rel="noopener noreferrer" is added to links with a target.
+	 *
+	 * @ticket 46421
+	 */
+	function test_render_links_with_target() {
+		$widget = new WP_Widget_Text();
+
+		$text = 'Test content with an external <a href="https://example.org" target="_blank">link</a>.';
+
+		$args = array(
+			'before_title'  => '<h2>',
+			'after_title'   => '</h2>',
+			'before_widget' => '',
+			'after_widget'  => '',
+		);
+
+		$instance = array(
+			'title' => 'Foo',
+			'text'  => $text,
+		);
+
+		$output = get_echo( array( $widget, 'widget' ), array( $args, $instance ) );
+
+		$this->assertContains( 'rel="noopener noreferrer"', $output );
+	}
+
+	/**
+	 * Ensure that rel="noopener noreferrer" is not added to links without a target.
+	 *
+	 * @ticket 46421
+	 */
+	function test_render_links_without_target() {
+		$widget = new WP_Widget_Text();
+
+		$text = 'Test content with an internal <a href="/">link</a>.';
+
+		$args = array(
+			'before_title'  => '<h2>',
+			'after_title'   => '</h2>',
+			'before_widget' => '',
+			'after_widget'  => '',
+		);
+
+		$instance = array(
+			'title' => 'Foo',
+			'text'  => $text,
+		);
+
+		$output = get_echo( array( $widget, 'widget' ), array( $args, $instance ) );
+
+		$this->assertNotContains( 'rel="noopener noreferrer"', $output );
+	}
 }