Browse Source

Markdown.pl: allow target="_blank" rel="nofollow"

While other targets could, potentially, represent legitimate
issues for concern, opening a new window generally does not
since that's typically a readily available option in the user
agent anyway when choosing to follow any individual link.

While using target="_blank" does not really represent any
security issue, it may be an annoyance issue, but that's something
for the author to address, not the sanitizer.

Although rel="nofollow" is _not_ part of the HTML 4 standard,
it may be very useful to avoid "endorsing" sites that are being
linked to.  Since it does not introduce any risk of scripting
issues or other hidden issues, go ahead and allow it too.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
master
Kyle J. McKay 4 years ago
parent
commit
39e875e4f5
  1. 8
      Markdown.pl

8
Markdown.pl

@ -3451,7 +3451,7 @@ my %impatt; # names of "implied" attributes
BEGIN { BEGIN {
%univatt = map({$_ => 1} qw(class dir id lang style title xml:lang)); %univatt = map({$_ => 1} qw(class dir id lang style title xml:lang));
%tagatt = ( %tagatt = (
'a' => { map({$_ => 1} qw(href name)) }, 'a' => { map({$_ => 1} qw(href name rel target)) },
'area' => { map({$_ => 1} qw(alt coords href nohref shape)) }, 'area' => { map({$_ => 1} qw(alt coords href nohref shape)) },
'basefont' => { map({$_ => 1} qw(color face size)) }, 'basefont' => { map({$_ => 1} qw(color face size)) },
'br' => { map({$_ => 1} qw(clear)) }, 'br' => { map({$_ => 1} qw(clear)) },
@ -3805,6 +3805,12 @@ sub _SanitizeAtt {
ref($opt{base_prefix}) eq 'CODE' and ref($opt{base_prefix}) eq 'CODE' and
$_[1] = '"' . escapeXML(&{$opt{base_prefix}}("#")) . '"'; $_[1] = '"' . escapeXML(&{$opt{base_prefix}}("#")) . '"';
}; };
if ($_[4] eq "a") {
$att eq "target" and
return $_[1] =~ /^([\042\047])\s*_blank\s*\1$/io ? 'target="_blank" ' : "";
$att eq "rel" and
return $_[1] =~ /^([\042\047])\s*nofollow\s*\1$/io ? 'rel="nofollow" ' : "";
}
if ($lcattval{$att}) { if ($lcattval{$att}) {
return $att."="._SanitizeAttValue(lc($_[1]))." "; return $att."="._SanitizeAttValue(lc($_[1]))." ";
} else { } else {

Loading…
Cancel
Save