mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Add rel attribute to link elements with a target attribute
This commit is contained in:
parent
50a1aa4c4d
commit
887f198b07
@ -4,6 +4,7 @@ namespace SilverStripe\Forms\HTMLEditor;
|
|||||||
|
|
||||||
use DOMAttr;
|
use DOMAttr;
|
||||||
use DOMElement;
|
use DOMElement;
|
||||||
|
use SilverStripe\Core\Config\Configurable;
|
||||||
use SilverStripe\Core\Injector\Injectable;
|
use SilverStripe\Core\Injector\Injectable;
|
||||||
use SilverStripe\View\Parsers\HTMLValue;
|
use SilverStripe\View\Parsers\HTMLValue;
|
||||||
use stdClass;
|
use stdClass;
|
||||||
@ -17,8 +18,21 @@ use stdClass;
|
|||||||
*/
|
*/
|
||||||
class HTMLEditorSanitiser
|
class HTMLEditorSanitiser
|
||||||
{
|
{
|
||||||
|
use Configurable;
|
||||||
use Injectable;
|
use Injectable;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* rel attribute to add to link elements which have a target attribute (usually "_blank")
|
||||||
|
* this is to done to prevent reverse tabnabbing - see https://www.owasp.org/index.php/Reverse_Tabnabbing
|
||||||
|
* noopener includes the behaviour we want, though some browsers don't yet support it and rely
|
||||||
|
* upon using noreferrer instead - see https://caniuse.com/rel-noopener for current browser compatibility
|
||||||
|
* set this to null if you would like to disable this behaviour
|
||||||
|
* set this to an empty string if you would like to remove rel attributes that were previously set
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
private static $link_rel_value = 'noopener noreferrer';
|
||||||
|
|
||||||
/** @var [stdClass] - $element => $rule hash for whitelist element rules where the element name isn't a pattern */
|
/** @var [stdClass] - $element => $rule hash for whitelist element rules where the element name isn't a pattern */
|
||||||
protected $elements = array();
|
protected $elements = array();
|
||||||
/** @var [stdClass] - Sequential list of whitelist element rules where the element name is a pattern */
|
/** @var [stdClass] - Sequential list of whitelist element rules where the element name is a pattern */
|
||||||
@ -277,6 +291,7 @@ class HTMLEditorSanitiser
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$linkRelValue = $this->config()->get('link_rel_value');
|
||||||
$doc = $html->getDocument();
|
$doc = $html->getDocument();
|
||||||
|
|
||||||
/** @var DOMElement $el */
|
/** @var DOMElement $el */
|
||||||
@ -331,6 +346,32 @@ class HTMLEditorSanitiser
|
|||||||
$el->setAttribute($attr, $forced);
|
$el->setAttribute($attr, $forced);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($el->tagName === 'a' && $linkRelValue !== null) {
|
||||||
|
$this->addRelValue($el, $linkRelValue);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Adds rel="noopener noreferrer" to link elements with a target attribute
|
||||||
|
*
|
||||||
|
* @param DOMElement $el
|
||||||
|
* @param string|null $linkRelValue
|
||||||
|
*/
|
||||||
|
private function addRelValue(DOMElement $el, $linkRelValue)
|
||||||
|
{
|
||||||
|
// user has checked the checkbox 'open link in new window'
|
||||||
|
if ($el->getAttribute('target') && $el->getAttribute('rel') !== $linkRelValue) {
|
||||||
|
if ($linkRelValue !== '') {
|
||||||
|
$el->setAttribute('rel', $linkRelValue);
|
||||||
|
} else {
|
||||||
|
$el->removeAttribute('rel');
|
||||||
|
}
|
||||||
|
} elseif ($el->getAttribute('rel') === $linkRelValue && !$el->getAttribute('target')) {
|
||||||
|
// user previously checked 'open link in new window' and noopener was added,
|
||||||
|
// now user has unchecked the checkbox so we can remove noopener
|
||||||
|
$el->removeAttribute('rel');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
namespace SilverStripe\Forms\Tests\HTMLEditor;
|
namespace SilverStripe\Forms\Tests\HTMLEditor;
|
||||||
|
|
||||||
use SilverStripe\Core\Injector\Injector;
|
use SilverStripe\Core\Config\Config;
|
||||||
use SilverStripe\Dev\FunctionalTest;
|
use SilverStripe\Dev\FunctionalTest;
|
||||||
use SilverStripe\Forms\HTMLEditor\HTMLEditorConfig;
|
use SilverStripe\Forms\HTMLEditor\HTMLEditorConfig;
|
||||||
use SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser;
|
use SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser;
|
||||||
@ -43,7 +43,37 @@ class HTMLEditorSanitiserTest extends FunctionalTest
|
|||||||
'<p default1="specific1" force1="specific1">Test</p>',
|
'<p default1="specific1" force1="specific1">Test</p>',
|
||||||
'<p default1="specific1" force1="force1" default2="default2" force2="force2">Test</p>',
|
'<p default1="specific1" force1="force1" default2="default2" force2="force2">Test</p>',
|
||||||
'Default attributes are set when not present in input, forced attributes are always set'
|
'Default attributes are set when not present in input, forced attributes are always set'
|
||||||
)
|
),
|
||||||
|
array(
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="/test" target="_blank">Test</a>',
|
||||||
|
'<a href="/test" target="_blank" rel="noopener noreferrer">Test</a>',
|
||||||
|
'noopener rel attribute is added when target attribute is set'
|
||||||
|
),
|
||||||
|
array(
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="/test" target="_top">Test</a>',
|
||||||
|
'<a href="/test" target="_top" rel="noopener noreferrer">Test</a>',
|
||||||
|
'noopener rel attribute is added when target is _top instead of _blank'
|
||||||
|
),
|
||||||
|
array(
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="/test" rel="noopener noreferrer">Test</a>',
|
||||||
|
'<a href="/test">Test</a>',
|
||||||
|
'noopener rel attribute is removed when target is not set'
|
||||||
|
),
|
||||||
|
array(
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="/test" rel="noopener noreferrer" target="_blank">Test</a>',
|
||||||
|
'<a href="/test" target="_blank">Test</a>',
|
||||||
|
'noopener rel attribute is removed when link_rel_value is an empty string'
|
||||||
|
),
|
||||||
|
array(
|
||||||
|
'a[href|target|rel]',
|
||||||
|
'<a href="/test" target="_blank">Test</a>',
|
||||||
|
'<a href="/test" target="_blank">Test</a>',
|
||||||
|
'noopener rel attribute is unchanged when link_rel_value is null'
|
||||||
|
),
|
||||||
);
|
);
|
||||||
|
|
||||||
$config = HTMLEditorConfig::get('htmleditorsanitisertest');
|
$config = HTMLEditorConfig::get('htmleditorsanitisertest');
|
||||||
@ -54,6 +84,14 @@ class HTMLEditorSanitiserTest extends FunctionalTest
|
|||||||
$config->setOptions(array('valid_elements' => $validElements));
|
$config->setOptions(array('valid_elements' => $validElements));
|
||||||
$sanitiser = new HtmlEditorSanitiser($config);
|
$sanitiser = new HtmlEditorSanitiser($config);
|
||||||
|
|
||||||
|
$value = 'noopener noreferrer';
|
||||||
|
if (strpos($desc, 'link_rel_value is an empty string') !== false) {
|
||||||
|
$value = '';
|
||||||
|
} elseif (strpos($desc, 'link_rel_value is null') !== false) {
|
||||||
|
$value = null;
|
||||||
|
}
|
||||||
|
Config::inst()->set(HTMLEditorSanitiser::class, 'link_rel_value', $value);
|
||||||
|
|
||||||
$htmlValue = HTMLValue::create($input);
|
$htmlValue = HTMLValue::create($input);
|
||||||
$sanitiser->sanitise($htmlValue);
|
$sanitiser->sanitise($htmlValue);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user