Opened 4 years ago
Last modified 6 days ago
#40916 assigned enhancement
Add "noreferrer" to comments in dashboard
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Comments | Keywords: | has-patch |
Focuses: | accessibility, administration | Cc: |
Description
Within /wp-admin/edit-comments.php
, one might check out a posted link before verifying the comment's legitimacy.
While doing so, we're sending the linked site that their comment got through; plausibly opening yourself to complications.
Whatever the reason may be, I don't think we should give spammers any information.
To resolve this, simply add rel=noreferrer
to those links.
Attachments (7)
Change History (18)
#2
@
4 years ago
Hey guys,
First ticket I've contributed code towards the core for. Attached a diff file which I think resolves this issue.
Any issues, just let me know.
Hope this helps,
Adam
#4
@
4 years ago
We might also wish to add target=_blank
and add rel="noopener noreferrer"
to optimize flow and prevent window hijacking thereof.
Ref: https://wordpress.org/support/topic/remove-rel-noopener-noreferrer-in-wordpress-4-7-4/#post-9057251
I think we shouldn't go away from the admin area in the first place, also.
@adam3128 I think the "approved" status check is redundant, even though it's a nice touch. Visitors comment for the front-end, after all.
#5
@
4 years ago
- Keywords 2nd-opinion removed
Hey @Cybr,
Thanks for the feedback above. That sounds good to me.
I've attached the new revision with your comments taken on board.
Any issues, just let me know.
Adam
#6
@
4 years ago
- Keywords needs-testing 2nd-opinion added
The file I've attached incorporates @adam3128's changes (author links).
Also including a filter that applies to all comments' contents on the wp-admin/edit-comments.php
screen.
The filter catches all links through a new function (wp_unbind_links()
) and removes all formats of target
and rel
attributes, finally replacing them with empty strings without fail. Even rel="something example'"
gets caught.
From there it adds target=_blank rel="noopener noreferrer"
to each found link.
The code has been tested and works on PHP 5.2.16 and PHP 7.1.5.
What needs to be determined is the placement of the filter.
i.e. Do we want to catch all new comments, all current comments, or only the comments on the said admin screen?
#7
@
4 years ago
- Owner set to adam3128
- Status changed from new to assigned
Assigning ownership to mark the good-first-bug
as "claimed".
#9
@
23 months ago
- Keywords good-first-bug 2nd-opinion removed
- Milestone changed from Awaiting Review to Future Release
@Cybr I took the liberty and refreshed your patch as it didn't apply cleanly via the grunt patch command.
@erayalakese @adam3128 I think @Cybr 's patch is more complete solving for more than the author's URL, but any link in the comment. Also in the other patches the check for approved authors seems not needed (and did not seem to be working in my testing either) as all these links should be treated the same.
About @Cybr 's question on:
What needs to be determined is the placement of the filter.
i.e. Do we want to catch all new comments, all current comments, or only the comments on the said admin screen?
I think we should stick to this screen for now.
@pratikkry as you seem interested into this ticker perhaps you have a bit of time to test this latest patch?
@
4 weeks ago
Comments: In the admin, open comment author links in a new tab, and add a noopener
rel
attribute.
#10
@
4 weeks ago
- Focuses accessibility added
- Keywords needs-testing removed
- Milestone changed from Future Release to 5.9
In 40916.2.2.diff
, I suggest to simplify the approach proposed in the previous patch, and to make in more accessible by adding a screen-reader-text
to the link.
Moving for 5.9 consideration.
Conditional check for comment status. If not approved, add noreferrer to anchor tags shown on dashboard.