Add HTML.Noopener to add a noopener rel to every external link

This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/ Adresses https://github.com/ezyang/htmlpurifier/issues/96
2025-08-08 23:26:39 +02:00 · 2017-01-13 13:44:58 +01:00
parent d4a96463ef
commit c82051c3e1
10 changed files with 129 additions and 2 deletions
--- a/library/HTMLPurifier/AttrTransform/Noopener.php
+++ b/library/HTMLPurifier/AttrTransform/Noopener.php
@@ -0,0 +1,52 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="noopener" to all outbound links.  This transform is
+ * only attached if Attr.Noopener is TRUE.
+ */
+class HTMLPurifier_AttrTransform_Noopener extends HTMLPurifier_AttrTransform
+{
+    /**
+     * @type HTMLPurifier_URIParser
+     */
+    private $parser;
+
+    public function __construct()
+    {
+        $this->parser = new HTMLPurifier_URIParser();
+    }
+
+    /**
+     * @param array $attr
+     * @param HTMLPurifier_Config $config
+     * @param HTMLPurifier_Context $context
+     * @return array
+     */
+    public function transform($attr, $config, $context)
+    {
+        if (!isset($attr['href'])) {
+            return $attr;
+        }
+
+        // XXX Kind of inefficient
+        $url = $this->parser->parse($attr['href']);
+        $scheme = $url->getSchemeObj($config, $context);
+
+        if ($scheme->browsable && !$url->isLocal($config, $context)) {
+            if (isset($attr['rel'])) {
+                $rels = explode(' ', $attr['rel']);
+                if (!in_array('noopener', $rels)) {
+                    $rels[] = 'noopener';
+                }
+                $attr['rel'] = implode(' ', $rels);
+            } else {
+                $attr['rel'] = 'noopener';
+            }
+        }
+        return $attr;
+    }
+}
+
+// vim: et sw=4 sts=4