From dd44bf6b4c2696f2373f43f0a01c3ed18eb1f537 Mon Sep 17 00:00:00 2001
From: "Dominik Schilling (ocean90)" <ocean90@git.wordpress.org>
Date: Tue, 19 Sep 2017 10:14:45 +0000
Subject: [PATCH] Editor: Prevent adding `javascript:` and `data:` URLs through
 the inline link dialog.

Merge of [41393] to the 4.7 branch.


git-svn-id: https://develop.svn.wordpress.org/branches/4.7@41401 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../js/tinymce/plugins/wplink/plugin.js          |  9 ++++++++-
 src/wp-includes/js/wplink.js                     | 16 +++++++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/js/tinymce/plugins/wplink/plugin.js b/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
index 96357f2e9e..2266c641bd 100644
--- a/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
+++ b/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
@@ -4,7 +4,7 @@
 		renderHtml: function() {
 			return (
 				'<div id="' + this._id + '" class="wp-link-preview">' +
-					'<a href="' + this.url + '" target="_blank" tabindex="-1">' + this.url + '</a>' +
+					'<a href="' + this.url + '" target="_blank" rel="noopener" tabindex="-1">' + this.url + '</a>' +
 				'</div>'
 			);
 		},
@@ -249,6 +249,13 @@
 				text = inputInstance.getLinkText();
 				editor.focus();
 
+				var parser = document.createElement( 'a' );
+				parser.href = href;
+
+				if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+					href = '';
+				}
+
 				if ( ! href ) {
 					editor.dom.remove( linkNode, true );
 					return;
diff --git a/src/wp-includes/js/wplink.js b/src/wp-includes/js/wplink.js
index 4a5b1557af..a4bfb36832 100644
--- a/src/wp-includes/js/wplink.js
+++ b/src/wp-includes/js/wplink.js
@@ -312,7 +312,7 @@ var wpLink;
 			var html = '<a href="' + attrs.href + '"';
 
 			if ( attrs.target ) {
-				html += ' target="' + attrs.target + '"';
+				html += ' rel="noopener" target="' + attrs.target + '"';
 			}
 
 			return html + '>';
@@ -337,6 +337,13 @@ var wpLink;
 			attrs = wpLink.getAttrs();
 			text = inputs.text.val();
 
+			var parser = document.createElement( 'a' );
+			parser.href = attrs.href;
+
+			if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+				attrs.href = '';
+			}
+
 			// If there's no href, return.
 			if ( ! attrs.href ) {
 				return;
@@ -389,6 +396,13 @@ var wpLink;
 			var attrs = wpLink.getAttrs(),
 				$link, text, hasText, $mceCaret;
 
+			var parser = document.createElement( 'a' );
+			parser.href = attrs.href;
+
+			if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+				attrs.href = '';
+			}
+
 			if ( ! attrs.href ) {
 				editor.execCommand( 'unlink' );
 				wpLink.close();