Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#11 2020-05-18 11:03:02

singaz
Member
From: Kyiv, Ukraine
Registered: 2017-03-12
Posts: 140

Re: Unsafe use of target blank

How to make a link with the target="_blank" using Textile?

How to make a link with the rel="noopener noreferrer external" using Textile?

<a rel="noopener noreferrer externa" target="_blank" href="https://site.com/link/">link to site</a>

Is it possible?


Sorry my horror English. I’m learning textpattern, I’m learning English

Offline

#12 2020-05-18 11:24:23

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,055
Website

Re: Unsafe use of target blank

singaz wrote #323027:

How to make a link with the target="_blank" using Textile?

How to make a link with the rel="noopener noreferrer external" using Textile?

I don’t think it is directly possible. Yiannis (Colak) use a shortcode form, here


Where is that emoji for a solar powered submarine when you need it ?

Offline

#13 2020-05-18 17:12:23

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 9,650
Website

Re: Unsafe use of target blank

I’ve added noopener to the author_uri links in the Themes and Plugins panels from 4.8.1. Hope that helps in some way with this.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#14 2020-05-18 17:33:23

singaz
Member
From: Kyiv, Ukraine
Registered: 2017-03-12
Posts: 140

Re: Unsafe use of target blank

phiw13 , Bloke

Thank you!


Sorry my horror English. I’m learning textpattern, I’m learning English

Offline

#15 2020-05-19 09:18:05

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,346
Website

Re: Unsafe use of target blank

Bloke wrote #323029:

I’ve added noopener to the author_uri links in the Themes and Plugins panels from 4.8.1. Hope that helps in some way with this.

Erm, why are we doing this exactly? These links don’t target a new window/tab as far as I remember so adding that to the rel attribute is not going to do anything.

I’ve already added this security months ago, where needed, in the core and that was released as of Textpattern 4.8.0.

To summarise:

noopener is only needed when target="_blank" is used, to mitigate tab-jacking. And we already do that anywhere it is in core.

noreferrer prevents the linked resource from knowing the originator (and is a companion for your Referrer-Policy header). Not really relevant to Textpattern core.

Offline

#16 2020-05-19 09:27:27

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 9,650
Website

Re: Unsafe use of target blank

philwareham wrote #323037:

Erm, why are we doing this exactly? These links don’t target a new window/tab as far as I remember so adding that to the rel attribute is not going to do anything.

My bad. I’ll revert it. I thought it would help if people chose to open the link in a new tab.

Edit: Oh, you’ve done it. Thanks!

Last edited by Bloke (2020-05-19 09:28:01)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#17 2020-05-19 09:28:03

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,346
Website

Re: Unsafe use of target blank

Bloke wrote #323039:

My bad. I’ll revert it.

I’ve done a partial revert today – no worries. Cheers Stef.

Offline

#18 2020-05-19 09:35:56

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,346
Website

Re: Unsafe use of target blank

Bloke wrote #323039:

I thought it would help if people chose to open the link in a new tab.

If a user manually opens a link in a new tab via a right-click context menu option, that is automatically ring-fenced by the browser against the aforementioned security risk I believe.

Offline

#19 2020-05-19 09:42:14

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 9,650
Website

Re: Unsafe use of target blank

philwareham wrote #323042:

If a user manually opens a link in a new tab via a right-click context menu option, that is automatically ring-fenced by the browser against the aforementioned security risk I believe.

Good to know, thanks!


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#20 2020-05-19 10:08:15

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 2,055
Website

Re: Unsafe use of target blank

philwareham wrote #323037:

noopener is only needed when target="_blank" is used, to mitigate tab-jacking. And we already do that anywhere it is in core.

You may want to add a noopener to the link-to-textpattern-site in the footer of every page of the admin side. Oh, and on the Write tab, the ”view” link is also target=_blank (to give it the same treatment as that the link-to-site in the <header />).


Where is that emoji for a solar powered submarine when you need it ?

Offline

Board footer

Powered by FluxBB