Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set

library/HTMLPurifier/AttrTransform/Noopener.php

@@ -1,52 +0,0 @@
-<?php
-
-// must be called POST validation
-
-/**
- * Adds rel="noopener" to all outbound links.  This transform is
- * only attached if Attr.Noopener is TRUE.
- */
-class HTMLPurifier_AttrTransform_Noopener extends HTMLPurifier_AttrTransform
-{
-    /**
-     * @type HTMLPurifier_URIParser
-     */
-    private $parser;
-
-    public function __construct()
-    {
-        $this->parser = new HTMLPurifier_URIParser();
-    }
-
-    /**
-     * @param array $attr
-     * @param HTMLPurifier_Config $config
-     * @param HTMLPurifier_Context $context
-     * @return array
-     */
-    public function transform($attr, $config, $context)
-    {
-        if (!isset($attr['href'])) {
-            return $attr;
-        }
-
-        // XXX Kind of inefficient
-        $url = $this->parser->parse($attr['href']);
-        $scheme = $url->getSchemeObj($config, $context);
-
-        if ($scheme->browsable && !$url->isLocal($config, $context)) {
-            if (isset($attr['rel'])) {
-                $rels = explode(' ', $attr['rel']);
-                if (!in_array('noopener', $rels)) {
-                    $rels[] = 'noopener';
-                }
-                $attr['rel'] = implode(' ', $rels);
-            } else {
-                $attr['rel'] = 'noopener';
-            }
-        }
-        return $attr;
-    }
-}
-
-// vim: et sw=4 sts=4

library/HTMLPurifier/AttrTransform/TargetNoopener.php

@@ -0,0 +1,37 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="noopener" to any links which target a different window
+ * than the current one.  This is used to prevent malicious websites
+ * from silently replacing the original window, which could be used
+ * to do phishing.
+ * This transform is controlled by %HTML.TargetNoopener.
+ */
+class HTMLPurifier_AttrTransform_TargetNoopener extends HTMLPurifier_AttrTransform
+{
+    /**
+     * @param array $attr
+     * @param HTMLPurifier_Config $config
+     * @param HTMLPurifier_Context $context
+     * @return array
+     */
+    public function transform($attr, $config, $context)
+    {
+        if (isset($attr['rel'])) {
+            $rels = explode(' ', $attr['rel']);
+        } else {
+            $rels = array();
+        }
+        if (isset($attr['target']) && !in_array('noopener', $rels)) {
+            $rels[] = 'noopener';
+        }
+        if (!empty($rels) || isset($attr['rel'])) {
+            $attr['rel'] = implode(' ', $rels);
+        }
+
+        return $attr;
+    }
+}
+