Use noreferrer when linkifying attachments and allow this value in purifier

diff --git a/lib/util.php b/lib/util.php
index b35eff84d8c4f2c402eef2bf7807768c5dc1efff..a2415945f1fbc01712d109935e2343f847db43cc 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -594,7 +594,7 @@ function common_purify($html, array $args=array())
      *
      * Source: http://microformats.org/wiki/rel
      */
-    $cfg->set('Attr.AllowedRel', ['bookmark', 'enclosure', 'nofollow', 'tag']);
+    $cfg->set('Attr.AllowedRel', ['bookmark', 'enclosure', 'nofollow', 'tag', 'noreferrer']);
     $cfg->set('HTML.ForbiddenAttributes', array('style'));  // id, on* etc. are already filtered by default
     $cfg->set('URI.AllowedSchemes', array_fill_keys(common_url_schemes(), true));
     if (isset($args['URI.Base'])) {
@@ -1140,17 +1140,7 @@ function common_linkify($url) {
         }
     }
 
-    // Add clippy
-    if ($is_attachment) {
-        $attrs['class'] = 'attachment';
-        if ($has_thumb) {
-            $attrs['class'] = 'attachment thumbnail';
-        }
-        $attrs['id'] = "attachment-{$attachment_id}";
-    }
-
     // Whether to nofollow
-
     $nf = common_config('nofollow', 'external');
 
     if ($nf == 'never') {
@@ -1159,6 +1149,16 @@ function common_linkify($url) {
         $attrs['rel'] = 'nofollow external';
     }
 
+    // Add clippy
+    if ($is_attachment) {
+        $attrs['class'] = 'attachment';
+        if ($has_thumb) {
+            $attrs['class'] = 'attachment thumbnail';
+        }
+        $attrs['id'] = "attachment-{$attachment_id}";
+        $attrs['rel'] .= ' noreferrer';
+    }
+
     return XMLStringer::estring('a', $attrs, $url);
 }