From 459eaa897191cceb674820a6a9e2630f7ca1350f Mon Sep 17 00:00:00 2001 From: Mehdi Bounya <5004111+mehdibo@users.noreply.github.com> Date: Sun, 28 Jan 2018 19:29:29 +0000 Subject: Added rel attribute to auto_link() Fixed security issue: allowing the target page to take control of the original page Details about the issue here: https://mathiasbynens.github.io/rel-noopener/ --- system/helpers/url_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/helpers') diff --git a/system/helpers/url_helper.php b/system/helpers/url_helper.php index e5d2d372f..3eb2cb0b0 100644 --- a/system/helpers/url_helper.php +++ b/system/helpers/url_helper.php @@ -396,7 +396,7 @@ if ( ! function_exists('auto_link')) if ($type !== 'email' && preg_match_all('#(\w*://|www\.)[a-z0-9]+(-+[a-z0-9]+)*(\.[a-z0-9]+(-+[a-z0-9]+)*)+(/([^\s()<>;]+\w)?/?)?#i', $str, $matches, PREG_OFFSET_CAPTURE | PREG_SET_ORDER)) { // Set our target HTML if using popup links. - $target = ($popup) ? ' target="_blank"' : ''; + $target = ($popup) ? ' target="_blank" rel="noopener"' : ''; // We process the links in reverse order (last -> first) so that // the returned string offsets from preg_match_all() are not -- cgit v1.2.3-24-g4f1b