archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
Files
05a4c55c52be313c750b1552b89ad33bcf64a0dd
phabricator/src/applications/files/markup/PhabricatorImageRemarkupRule.php
epriestley 05a4c55c52 Explicitly add rel="noreferrer" to all external links 
Summary: See D19117. Instead of automatically figuring this out inside `phutil_tag()`, explicitly add rel="noreferrer" at the application level to all external links.

Test Plan:
  - Grepped for `_blank`, `isValidRemoteURIForLink`, checked all callsites for user-controlled data.
  - Created a link menu item, verified noreferrer in markup.
  - Created a link custom field, verified no referrer in markup.
  - Verified noreferrer for `{nav href=...}`.

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Differential Revision: https://secure.phabricator.com/D19118
2018-02-17 17:46:11 -08:00

70 lines
1.7 KiB
PHP
Raw Blame History

<?php
final class PhabricatorImageRemarkupRule extends PhutilRemarkupRule {
public function getPriority() {
return 200.0;
}
public function apply($text) {
return preg_replace_callback(
'@{(image|img) ((?:[^}\\\\]+|\\\\.)*)}@m',
array($this, 'markupImage'),
$text);
}
public function markupImage(array $matches) {
if (!$this->isFlatText($matches[0])) {
return $matches[0];
}
$args = array();
$defaults = array(
'uri' => null,
'alt' => null,
'width' => null,
'height' => null,
);
$trimmed_match = trim($matches[2]);
if ($this->isURI($trimmed_match)) {
$args['uri'] = new PhutilURI($trimmed_match);
} else {
$parser = new PhutilSimpleOptions();
$keys = $parser->parse($trimmed_match);
$uri_key = '';
foreach (array('src', 'uri', 'url') as $key) {
if (array_key_exists($key, $keys)) {
$uri_key = $key;
}
}
if ($uri_key) {
$args['uri'] = new PhutilURI($keys[$uri_key]);
}
$args += $keys;
}
$args += $defaults;
if ($args['uri']) {
$src_uri = id(new PhutilURI('/file/imageproxy/'))
->setQueryParam('uri', (string)$args['uri']);
$img = $this->newTag(
'img',
array(
'src' => $src_uri,
'alt' => $args['alt'],
'width' => $args['width'],
'height' => $args['height'],
));
return $this->getEngine()->storeText($img);
} else {
return $matches[0];
}
}
private function isURI($uri_string) {
// Very simple check to make sure it starts with either http or https.
// If it does, we'll try to treat it like a valid URI
return preg_match('~^https?\:\/\/.*\z~i', $uri_string);
}
}
Reference in New Issue View Git Blame Copy Permalink