-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Links: Add ref="noreferrer noopener" for target="_blank" links #6316
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding this! 😍
Looks like there's a regression with unsetting this toggle:
- Insert a link with Open in a new window turned ON
- Preview the post. Notice that the link opens in a new tab
- Edit the link and turn Open in a new window OFF
- Preview the post. Notice that the link still opens in a new tab
@@ -744,7 +744,8 @@ export class RichText extends Component { | |||
if ( ! anchor ) { | |||
this.removeFormat( 'link' ); | |||
} | |||
this.applyFormat( 'link', { href: formatValue.value, target: formatValue.target }, anchor ); | |||
const { value: href, ...params } = formatValue; | |||
this.applyFormat( 'link', { href, ...params }, anchor ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feels like we could avoid some friction if we named the attribute href
instead of value
, but eh.
Good catch, it looks like TinyMCE only patches the format instead of resetting it. Updated by explicitly passing null values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent 👍
…ress#6316) * Links: Add ref="noreferrer noopener" for target="_blank" links * Fix resetting the "open in new tab" option
Is it possible to change this behavior with a plugin, and if so, how? noreferrer can cause issues for affiliate programs tracking the link. TinyMCE used to use add both noreferrer and noopener but has since switched to only adding noopener. Core has a filter that can be used to switch to just using noopener but how can this be done in Gutenberg? |
closes #6186
This PR adds ref="noreferrer noopener" to target="_blank" links for security reasons.
Testing instructions
ref="noreferrer noopener"
is added to the link in the code editor.