Commit f726a5a1 authored by John Jarvis's avatar John Jarvis
Browse files

Merge branch 'security-11-5-url-rel' into 'security-11-5'

[11.5] Set URL rel attribute for broken URLs

See merge request gitlab/gitlabhq!2712
parents 1f6cd7d3 ea84f39a
title: Set URL rel attribute for broken URLs.
type: security
......@@ -9,11 +9,10 @@ class ExternalLinkFilter < HTML::Pipeline::Filter
def call
links.each do |node|
uri = uri(node['href'].to_s)
next unless uri
node.set_attribute('href', uri.to_s)
node.set_attribute('href', uri.to_s) if uri
if SCHEMES.include?(uri.scheme) && external_url?(uri)
if SCHEMES.include?(uri&.scheme) && !internal_url?(uri)
node.set_attribute('rel', 'nofollow noreferrer noopener')
node.set_attribute('target', '_blank')
......@@ -35,11 +34,12 @@ def links
def external_url?(uri)
def internal_url?(uri)
return false if uri.nil?
# Relative URLs miss a hostname
return false unless uri.hostname
return true unless uri.hostname
uri.hostname != internal_url.hostname
uri.hostname == internal_url.hostname
def internal_url
......@@ -49,16 +49,16 @@
context 'for invalid urls' do
it 'skips broken hrefs' do
it 'adds rel and target attributes to broken hrefs' do
doc = filter %q(<p><a href="don't crash on broken urls">Google</a></p>)
expected = %q(<p><a href="don't%20crash%20on%20broken%20urls">Google</a></p>)
expected = %q(<p><a href="don't%20crash%20on%20broken%20urls" rel="nofollow noreferrer noopener" target="_blank">Google</a></p>)
expect(doc.to_html).to eq(expected)
it 'skips improperly formatted mailtos' do
it 'adds rel and target to improperly formatted mailtos' do
doc = filter %q(<p><a href="mailto://">Email</a></p>)
expected = %q(<p><a href="mailto://">Email</a></p>)
expected = %q(<p><a href="mailto://" rel="nofollow noreferrer noopener" target="_blank">Email</a></p>)
expect(doc.to_html).to eq(expected)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment