From 4dfe5b14e5688c371d08b92f26b594ec8d94943a Mon Sep 17 00:00:00 2001
From: Daniel Kesselberg <mail@danielkesselberg.de>
Date: Wed, 11 Aug 2021 19:41:28 +0200
Subject: [PATCH] Add noreferrer to external links. Don't forward external
 links via proxy.

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
---
 lib/Service/HtmlPurify/TransformHTMLLinks.php |  9 +------
 lib/Service/HtmlPurify/TransformURLScheme.php | 25 +++++++------------
 2 files changed, 10 insertions(+), 24 deletions(-)

diff --git a/lib/Service/HtmlPurify/TransformHTMLLinks.php b/lib/Service/HtmlPurify/TransformHTMLLinks.php
index d3bb22b450..e287d243bd 100755
--- a/lib/Service/HtmlPurify/TransformHTMLLinks.php
+++ b/lib/Service/HtmlPurify/TransformHTMLLinks.php
@@ -26,7 +26,6 @@
 use HTMLPurifier_AttrTransform;
 use HTMLPurifier_Config;
 use HTMLPurifier_Context;
-use HTMLPurifier_URIParser;
 use OCP\IURLGenerator;
 
 /**
@@ -34,17 +33,11 @@
  */
 class TransformHTMLLinks extends HTMLPurifier_AttrTransform {
 
-	/**
-	 * @type HTMLPurifier_URIParser
-	 */
-	private $parser;
-
 	/** @var IURLGenerator */
 	private $urlGenerator;
 
 	public function __construct(IURLGenerator $urlGenerator) {
 		$this->urlGenerator = $urlGenerator;
-		$this->parser = new HTMLPurifier_URIParser();
 	}
 
 	/**
@@ -59,7 +52,7 @@ public function transform($attr, $config, $context) {
 		}
 
 		$attr['target'] = '_blank';
-		$attr['rel'] = 'noopener';
+		$attr['rel'] = 'external noopener noreferrer';
 
 		// Open mailto: links in Mail
 		if (stripos($attr['href'], 'mailto:') === 0) {
diff --git a/lib/Service/HtmlPurify/TransformURLScheme.php b/lib/Service/HtmlPurify/TransformURLScheme.php
index a7f38c3a50..c7c4a2d81e 100644
--- a/lib/Service/HtmlPurify/TransformURLScheme.php
+++ b/lib/Service/HtmlPurify/TransformURLScheme.php
@@ -123,23 +123,16 @@ private function filterHttpFtp(&$uri, $context) {
 		// If element is of type "href" it is most likely a link that should get redirected
 		// otherwise it's an element that we send through our proxy
 		if ($element === 'href') {
-			$uri = new \HTMLPurifier_URI(
-				$this->request->getServerProtocol(),
-				null,
-				$this->request->getServerHost(),
-				null,
-				$this->urlGenerator->linkToRoute('mail.proxy.redirect'),
-				'src=' . $originalURL,
-				null
-			);
-			return $uri;
-		} else {
-			$uri = new \HTMLPurifier_URI(
-				$this->request->getServerProtocol(), null, $this->request->getServerHost(), null,
-				$this->urlGenerator->linkToRoute('mail.proxy.proxy'),
-				'src=' . $originalURL . '&requesttoken=' . \OC::$server->getSession()->get('requesttoken'),
-				null);
 			return $uri;
 		}
+
+		return new \HTMLPurifier_URI(
+			$this->request->getServerProtocol(),
+			null, $this->request->getServerHost(),
+			null,
+			$this->urlGenerator->linkToRoute('mail.proxy.proxy'),
+			'src=' . $originalURL . '&requesttoken=' . \OC::$server->getSession()->get('requesttoken'),
+			null
+		);
 	}
 }