diff --git a/app/javascript/mastodon/features/ui/components/boost_modal.js b/app/javascript/mastodon/features/ui/components/boost_modal.js
index 70f4a1282e2..0e79005f047 100644
--- a/app/javascript/mastodon/features/ui/components/boost_modal.js
+++ b/app/javascript/mastodon/features/ui/components/boost_modal.js
@@ -61,7 +61,7 @@ class BoostModal extends ImmutablePureComponent {
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
index 990b9f63ed8..6ba3276141a 100644
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -251,7 +251,7 @@ class Formatter
def link_to_url(entity, options = {})
url = Addressable::URI.parse(entity[:url])
- html_attrs = { target: '_blank', rel: 'nofollow noopener' }
+ html_attrs = { target: '_blank', rel: 'nofollow noopener noreferrer' }
html_attrs[:rel] = "me #{html_attrs[:rel]}" if options[:me]
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
index aba8ce9f615..77045155e03 100644
--- a/app/lib/sanitize_config.rb
+++ b/app/lib/sanitize_config.rb
@@ -45,7 +45,7 @@ class Sanitize
add_attributes: {
'a' => {
- 'rel' => 'nofollow noopener',
+ 'rel' => 'nofollow noopener noreferrer',
'target' => '_blank',
},
},
diff --git a/app/views/about/show.html.haml b/app/views/about/show.html.haml
index 80f4cd82872..e0ec98ec975 100644
--- a/app/views/about/show.html.haml
+++ b/app/views/about/show.html.haml
@@ -38,7 +38,7 @@
%small= t('about.browse_public_posts')
.directory__tag
- = link_to 'https://joinmastodon.org/apps', target: '_blank', rel: 'noopener' do
+ = link_to 'https://joinmastodon.org/apps', target: '_blank', rel: 'noopener noreferrer' do
%h4
= fa_icon 'tablet fw'
= t('about.get_apps')
diff --git a/app/views/accounts/_moved.html.haml b/app/views/accounts/_moved.html.haml
index 02fd7bf429d..a82f277b16c 100644
--- a/app/views/accounts/_moved.html.haml
+++ b/app/views/accounts/_moved.html.haml
@@ -6,7 +6,7 @@
= t('accounts.moved_html', name: content_tag(:bdi, content_tag(:strong, display_name(account, custom_emojify: true), class: :emojify)), new_profile_link: link_to(content_tag(:strong, safe_join(['@', content_tag(:span, moved_to_account.acct)])), ActivityPub::TagManager.instance.url_for(moved_to_account), class: 'mention'))
.moved-account-widget__card
- = link_to ActivityPub::TagManager.instance.url_for(moved_to_account), class: 'detailed-status__display-name p-author h-card', target: '_blank', rel: 'me noopener' do
+ = link_to ActivityPub::TagManager.instance.url_for(moved_to_account), class: 'detailed-status__display-name p-author h-card', target: '_blank', rel: 'me noopener noreferrer' do
.detailed-status__display-avatar
.account__avatar-overlay
.account__avatar-overlay-base{ style: "background-image: url('#{moved_to_account.avatar.url(:original)}')" }
diff --git a/app/views/admin/reports/_status.html.haml b/app/views/admin/reports/_status.html.haml
index 6facc0a568b..425d315e175 100644
--- a/app/views/admin/reports/_status.html.haml
+++ b/app/views/admin/reports/_status.html.haml
@@ -19,7 +19,7 @@
= react_component :media_gallery, height: 343, sensitive: !current_account&.user&.show_all_media? && status.proper.sensitive? || current_account&.user&.hide_all_media?, 'autoPlayGif': current_account&.user&.setting_auto_play_gif, media: status.proper.media_attachments.map { |a| ActiveModelSerializers::SerializableResource.new(a, serializer: REST::MediaAttachmentSerializer).as_json }
.detailed-status__meta
- = link_to ActivityPub::TagManager.instance.url_for(status), class: 'detailed-status__datetime', target: stream_link_target, rel: 'noopener' do
+ = link_to ActivityPub::TagManager.instance.url_for(status), class: 'detailed-status__datetime', target: stream_link_target, rel: 'noopener noreferrer' do
%time.formatted{ datetime: status.created_at.iso8601, title: l(status.created_at) }= l(status.created_at)
- if status.discarded?
·
diff --git a/app/views/admin/tags/show.html.haml b/app/views/admin/tags/show.html.haml
index 5799e5973d9..c9a147587c6 100644
--- a/app/views/admin/tags/show.html.haml
+++ b/app/views/admin/tags/show.html.haml
@@ -3,7 +3,7 @@
.dashboard__counters
%div
- = link_to tag_url(@tag), target: '_blank', rel: 'noopener' do
+ = link_to tag_url(@tag), target: '_blank', rel: 'noopener noreferrer' do
.dashboard__counters__num= number_with_delimiter @accounts_today
.dashboard__counters__label= t 'admin.tags.accounts_today'
%div
diff --git a/app/views/application/_card.html.haml b/app/views/application/_card.html.haml
index 8719ce48444..808dce5144b 100644
--- a/app/views/application/_card.html.haml
+++ b/app/views/application/_card.html.haml
@@ -1,7 +1,7 @@
- account_url = local_assigns[:admin] ? admin_account_path(account.id) : ActivityPub::TagManager.instance.url_for(account)
.card.h-card
- = link_to account_url, target: '_blank', rel: 'noopener' do
+ = link_to account_url, target: '_blank', rel: 'noopener noreferrer' do
.card__img
= image_tag account.header.url, alt: ''
.card__bar
diff --git a/app/views/oauth/authorized_applications/index.html.haml b/app/views/oauth/authorized_applications/index.html.haml
index 7203d758da4..7b77108a93c 100644
--- a/app/views/oauth/authorized_applications/index.html.haml
+++ b/app/views/oauth/authorized_applications/index.html.haml
@@ -16,7 +16,7 @@
- if application.website.blank?
= application.name
- else
- = link_to application.name, application.website, target: '_blank', rel: 'noopener'
+ = link_to application.name, application.website, target: '_blank', rel: 'noopener noreferrer'
%th!= application.scopes.map { |scope| t(scope, scope: [:doorkeeper, :scopes]) }.join(', ')
%td= l application.created_at
%td
diff --git a/app/views/statuses/_detailed_status.html.haml b/app/views/statuses/_detailed_status.html.haml
index 5cee84ada88..3fa52d3f2bc 100644
--- a/app/views/statuses/_detailed_status.html.haml
+++ b/app/views/statuses/_detailed_status.html.haml
@@ -44,14 +44,14 @@
.detailed-status__meta
%data.dt-published{ value: status.created_at.to_time.iso8601 }
- = link_to ActivityPub::TagManager.instance.url_for(status), class: 'detailed-status__datetime u-url u-uid', target: stream_link_target, rel: 'noopener' do
+ = link_to ActivityPub::TagManager.instance.url_for(status), class: 'detailed-status__datetime u-url u-uid', target: stream_link_target, rel: 'noopener noreferrer' do
%time.formatted{ datetime: status.created_at.iso8601, title: l(status.created_at) }= l(status.created_at)
·
- if status.application && @account.user&.setting_show_application
- if status.application.website.blank?
%strong.detailed-status__application= status.application.name
- else
- = link_to status.application.name, status.application.website, class: 'detailed-status__application', target: '_blank', rel: 'noopener'
+ = link_to status.application.name, status.application.website, class: 'detailed-status__application', target: '_blank', rel: 'noopener noreferrer'
·
= link_to remote_interaction_path(status, type: :reply), class: 'modal-button detailed-status__link' do
- if status.in_reply_to_id.nil?
diff --git a/app/views/statuses/_simple_status.html.haml b/app/views/statuses/_simple_status.html.haml
index a68fe10220c..edcfbba2bf7 100644
--- a/app/views/statuses/_simple_status.html.haml
+++ b/app/views/statuses/_simple_status.html.haml
@@ -1,11 +1,11 @@
.status
.status__info
- = link_to ActivityPub::TagManager.instance.url_for(status), class: 'status__relative-time u-url u-uid', target: stream_link_target, rel: 'noopener' do
+ = link_to ActivityPub::TagManager.instance.url_for(status), class: 'status__relative-time u-url u-uid', target: stream_link_target, rel: 'noopener noreferrer' do
%time.time-ago{ datetime: status.created_at.iso8601, title: l(status.created_at) }= l(status.created_at)
%data.dt-published{ value: status.created_at.to_time.iso8601 }
.p-author.h-card
- = link_to ActivityPub::TagManager.instance.url_for(status.account), class: 'status__display-name u-url', target: stream_link_target, rel: 'noopener' do
+ = link_to ActivityPub::TagManager.instance.url_for(status.account), class: 'status__display-name u-url', target: stream_link_target, rel: 'noopener noreferrer' do
.status__avatar
%div
- if current_account&.user&.setting_auto_play_gif || autoplay
diff --git a/spec/fixtures/xml/mastodon.atom b/spec/fixtures/xml/mastodon.atom
index 9ece3bc2e39..92921a93800 100644
--- a/spec/fixtures/xml/mastodon.atom
+++ b/spec/fixtures/xml/mastodon.atom
@@ -123,7 +123,7 @@
2016-10-10T00:41:31Z
2016-10-10T00:41:31Z
Social media needs MOAR cats! http://kickass.zone/media/3
-
<p>Social media needs MOAR cats! <a rel="nofollow noopener" href="http://kickass.zone/media/3">http://kickass.zone/media/3</a></p>
+
<p>Social media needs MOAR cats! <a rel="nofollow noopener noreferrer" href="http://kickass.zone/media/3">http://kickass.zone/media/3</a></p>
http://activitystrea.ms/schema/1.0/post
@@ -135,7 +135,7 @@
2016-10-10T00:38:39Z
2016-10-10T00:38:39Z
http://kickass.zone/media/2
-
<p><a rel="nofollow noopener" href="http://kickass.zone/media/2">http://kickass.zone/media/2</a></p>
+
<p><a rel="nofollow noopener noreferrer" href="http://kickass.zone/media/2">http://kickass.zone/media/2</a></p>
http://activitystrea.ms/schema/1.0/post
diff --git a/spec/lib/sanitize_config_spec.rb b/spec/lib/sanitize_config_spec.rb
index 54bd8693cc8..feb86af3528 100644
--- a/spec/lib/sanitize_config_spec.rb
+++ b/spec/lib/sanitize_config_spec.rb
@@ -24,7 +24,7 @@ describe Sanitize::Config do
end
it 'keep links in lists' do
- expect(Sanitize.fragment('
Check out:
', subject)).to eq '
Check out:
joinmastodon.org Bar
'
+ expect(Sanitize.fragment('
Check out:
', subject)).to eq '
Check out:
joinmastodon.org Bar
'
end
end
end
diff --git a/spec/services/fetch_link_card_service_spec.rb b/spec/services/fetch_link_card_service_spec.rb
index 9761c5f0649..3c8f6f578f4 100644
--- a/spec/services/fetch_link_card_service_spec.rb
+++ b/spec/services/fetch_link_card_service_spec.rb
@@ -80,7 +80,7 @@ RSpec.describe FetchLinkCardService, type: :service do
end
context 'in a remote status' do
- let(:status) { Fabricate(:status, account: Fabricate(:account, domain: 'example.com'), text: 'Habt ihr ein paar gute Links zu #
Wannacry herumfliegen? Ich will mal unter
https://github.com/qbi/WannaCry was sammeln. !
security ') }
+ let(:status) { Fabricate(:status, account: Fabricate(:account, domain: 'example.com'), text: 'Habt ihr ein paar gute Links zu #
Wannacry herumfliegen? Ich will mal unter
https://github.com/qbi/WannaCry was sammeln. !
security ') }
it 'parses out URLs' do
expect(a_request(:get, 'https://github.com/qbi/WannaCry')).to have_been_made.at_least_once
diff --git a/spec/services/verify_link_service_spec.rb b/spec/services/verify_link_service_spec.rb
index 2edcdb75f12..3fc88e60e4b 100644
--- a/spec/services/verify_link_service_spec.rb
+++ b/spec/services/verify_link_service_spec.rb
@@ -28,12 +28,12 @@ RSpec.describe VerifyLinkService, type: :service do
end
end
- context 'when a link contains an
back' do
+ context 'when a link contains an back' do
let(:html) do
<<-HTML
- Follow me on Mastodon
+
Follow me on Mastodon
HTML
end