From c1537a1e82434a2fa11c27fac8df9b52200e2a39 Mon Sep 17 00:00:00 2001
From: Thomas Karpiniec <tk@1.21jiggawatts.net>
Date: Thu, 9 Jun 2016 19:56:36 +1000
Subject: [PATCH] Use noreferrer when linkifying attachments and allow this
 value in purifier

---
 lib/util.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/util.php b/lib/util.php
index b35eff84d8..a2415945f1 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -594,7 +594,7 @@ function common_purify($html, array $args=array())
      *
      * Source: http://microformats.org/wiki/rel
      */
-    $cfg->set('Attr.AllowedRel', ['bookmark', 'enclosure', 'nofollow', 'tag']);
+    $cfg->set('Attr.AllowedRel', ['bookmark', 'enclosure', 'nofollow', 'tag', 'noreferrer']);
     $cfg->set('HTML.ForbiddenAttributes', array('style'));  // id, on* etc. are already filtered by default
     $cfg->set('URI.AllowedSchemes', array_fill_keys(common_url_schemes(), true));
     if (isset($args['URI.Base'])) {
@@ -1140,17 +1140,7 @@ function common_linkify($url) {
         }
     }
 
-    // Add clippy
-    if ($is_attachment) {
-        $attrs['class'] = 'attachment';
-        if ($has_thumb) {
-            $attrs['class'] = 'attachment thumbnail';
-        }
-        $attrs['id'] = "attachment-{$attachment_id}";
-    }
-
     // Whether to nofollow
-
     $nf = common_config('nofollow', 'external');
 
     if ($nf == 'never') {
@@ -1159,6 +1149,16 @@ function common_linkify($url) {
         $attrs['rel'] = 'nofollow external';
     }
 
+    // Add clippy
+    if ($is_attachment) {
+        $attrs['class'] = 'attachment';
+        if ($has_thumb) {
+            $attrs['class'] = 'attachment thumbnail';
+        }
+        $attrs['id'] = "attachment-{$attachment_id}";
+        $attrs['rel'] .= ' noreferrer';
+    }
+
     return XMLStringer::estring('a', $attrs, $url);
 }
 
-- 
2.39.5