-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Links opening in a new tab to have rel="noopener" attribute #29
Comments
HTML purifier already does that by default for you when saving: http://htmlpurifier.org/live/configdoc/plain.html#HTML.TargetNoopener Unless you have disabled HTML purifier or explicitly turned that setting off. |
Weird, this doesn't seem to be the case for me. I definitely haven't explicitly touched HTML puriffier's config so something else must be going on. |
@XhmikosR In your Redactor field settings, is “Purify HTML?” still enabled? |
Hmm, it must be a field where that might be off. Going through all my fields right now. |
OK, I think that was the reason. Some fields had the option disabled. Sorry for the noise! |
No worries, glad to hear it’s working as expected :) |
Unfortunately enabling this breaks any IDs and classes we have. :/ @brandonkelly Is it possible to provide a more flexible HTML Purifier config? For example I have also enabled the custom properties Redactor plugin but it's moot since on Save IDs and Classes are being removed :/ I tried setting up my custom config but seems a bit too much for me to handle this only on my own... {
"Attr.AllowedFrameTargets": ["_blank"],
"Attr.EnableID": true,
"HTML.AllowedAttributes": "img.src,a.href,a.target,a.rel,*.id,*.class",
"HTML.AllowedComments": ["pagebreak"]
} What are the default allowed attributes for example? None? If I don't specify I can make a new issue, I just started playing with this due to rel noopener initially. |
@XhmikosR Right now we’re mostly just focused on allowing HTML that can be added via the UI. So if something is getting dropped that you added via the UI, you can post a new issue about that. Otherwise, you can create your own HTML Purifier config. |
@brandonkelly: this is done via the UI with https://imperavi.com/redactor/plugins/properties/ Yet, the default config strips IDs and classes. I did try to use my own config, see above, but then I'd need to whitelist every possible attribute myself. So, I think it would be for the greater good if this was tackled upstream here. |
Feature Request:
When a client adds a link into a redactor field and selects the option for it to be opened in a new tab, could we please have an attribute of rel="noopener" added to the anchor tag alongside the target="_blank" attribute? There are both security and performance benefits to this which are explained here: https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/
Clients won't be going into the source and adding it themselves, so it would be good to have it done by default as we have been adding these to the hardcoded achor tags around the rest of the site and this is the last area for us that it needs implementing. Thank you.
The text was updated successfully, but these errors were encountered: