Add "noreferrer" to comments in dashboard

[Cybr]

Within /wp-admin/edit-comments.php, one might check out a posted link before verifying the comment's legitimacy.

While doing so, we're sending the linked site that their comment got through; plausibly opening yourself to complications.

Whatever the reason may be, I don't think we should give spammers any information.

To resolve this, simply add rel=noreferrer to those links.

[adam3128]

Conditional check for comment status. If not approved, add noreferrer to anchor tags shown on dashboard.

[adam3128]

Hey guys,

First ticket I've contributed code towards the core for. Attached a diff file which I think resolves this issue.

Any issues, just let me know.

Hope this helps,

Adam

[Cybr]

We might also wish to add target=_blank and add rel="noopener noreferrer" to optimize flow and prevent window hijacking thereof.

Ref: ​https://wordpress.org/support/topic/remove-rel-noopener-noreferrer-in-wordpress-4-7-4/#post-9057251

I think we shouldn't go away from the admin area in the first place, also.

@adam3128 I think the "approved" status check is redundant, even though it's a nice touch. Visitors comment for the front-end, after all.

[adam3128]

Version 2 of solution with target blank and noopener

[adam3128]

Hey @Cybr,

Thanks for the feedback above. That sounds good to me.

I've attached the new revision with your comments taken on board.

Any issues, just let me know.

Adam

[Cybr]

wp_unbind_links() function, attached to comments through JIT filter

[Cybr]

The file I've attached incorporates @adam3128's changes (author links).
Also including a filter that applies to all comments' contents on the wp-admin/edit-comments.php screen.

The filter catches all links through a new function (wp_unbind_links()) and removes all formats of target and rel attributes, finally replacing them with empty strings without fail. Even rel="something example'" gets caught.

From there it adds target=_blank rel="noopener noreferrer" to each found link.

The code has been tested and works on PHP 5.2.16 and PHP 7.1.5.

What needs to be determined is the placement of the filter.
i.e. Do we want to catch all new comments, all current comments, or only the comments on the said admin screen?

[erayalakese]

A small modification to reduce code repeat

[DrewAPicture]

Assigning ownership to mark the good-first-bug as "claimed".

[pratikkry]

any progress on this?

[andraganescu]

Refreshed patch 40916.diff

[andraganescu]

@Cybr I took the liberty and refreshed your patch as it didn't apply cleanly via the grunt patch command.

@erayalakese @adam3128 I think @Cybr 's patch is more complete solving for more than the author's URL, but any link in the comment. Also in the other patches the check for approved authors seems not needed (and did not seem to be working in my testing either) as all these links should be treated the same.

About @Cybr 's question on:

What needs to be determined is the placement of the filter.
i.e. Do we want to catch all new comments, all current comments, or only the comments on the said admin screen?

I think we should stick to this screen for now.

@pratikkry as you seem interested into this ticker perhaps you have a bit of time to test this latest patch?

[audrasjb]

Comments: In the admin, open comment author links in a new tab, and add a noopener rel attribute.

[audrasjb]

In 40916.2.2.diff, I suggest to simplify the approach proposed in the previous patch, and to make in more accessible by adding a screen-reader-text to the link.

Moving for 5.9 consideration.

[audrasjb]

works fine