From 07116d1445aa33eb6440876b97dad43fde82963e Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 13 Oct 2019 18:53:46 -0500
Subject: [PATCH] Mark links in notes and fetch source data box as external.

---
 app/helpers/application_helper.rb | 3 +--
 app/logical/note_sanitizer.rb     | 2 +-
 app/views/sources/_info.html.erb  | 4 ++--
 test/unit/note_sanitizer_test.rb  | 6 +++---
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index a3d1f944a..300eaf6b8 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -78,8 +78,7 @@ module ApplicationHelper
     time_tag(time.strftime("%Y-%m-%d %H:%M"), time)
   end
 
-  def external_link_to(url, truncate: nil, strip: false, **link_options)
-    text = url
+  def external_link_to(url, text = url, truncate: nil, strip: false, **link_options)
     text = text.gsub(%r!\Ahttps?://!i, "") if strip == :scheme
     text = text.gsub(%r!\Ahttps?://(?:www\.)?!i, "") if strip == :subdomain
     text = text.truncate(truncate) if truncate
diff --git a/app/logical/note_sanitizer.rb b/app/logical/note_sanitizer.rb
index d2b6d5835..65c22f0b9 100644
--- a/app/logical/note_sanitizer.rb
+++ b/app/logical/note_sanitizer.rb
@@ -61,7 +61,7 @@ module NoteSanitizer
       :elements => ALLOWED_ELEMENTS,
       :attributes => ALLOWED_ATTRIBUTES,
       :add_attributes => {
-        "a" => { "rel" => "nofollow" },
+        "a" => { "rel" => "external noreferrer nofollow" },
       },
       :protocols => {
         "a" => {
diff --git a/app/views/sources/_info.html.erb b/app/views/sources/_info.html.erb
index 17a424077..569bc8a73 100644
--- a/app/views/sources/_info.html.erb
+++ b/app/views/sources/_info.html.erb
@@ -12,7 +12,7 @@
           <% if @source.artist_name.blank? %>
             <em>None</em>
           <% else %>
-            <%= link_to @source.artist_name, @source.profile_url, id: "source-info-artist-profile" %>
+            <%= external_link_to @source.profile_url, @source.artist_name, id: "source-info-artist-profile" %>
 
             <% if @source.artists.empty? %>
               (<%= link_to "Create new artist", new_artist_path(artist: { source: @source.canonical_url }), id: "source-info-create-new-artist" %>)
@@ -35,7 +35,7 @@
           <% else %>
             <ul>
               <% @source.tags.each do |tag, href| %>
-                <li><%= link_to tag, href, rel: :nofollow %></li>
+                <li><%= external_link_to href, tag %></li>
               <% end %>
             </ul>
 
diff --git a/test/unit/note_sanitizer_test.rb b/test/unit/note_sanitizer_test.rb
index 63c0cbf52..4301304ee 100644
--- a/test/unit/note_sanitizer_test.rb
+++ b/test/unit/note_sanitizer_test.rb
@@ -19,19 +19,19 @@ class NoteSanitizerTest < ActiveSupport::TestCase
 
     should "mark links as nofollow" do
       body = '<a href="http://www.google.com">google</a>'
-      assert_equal('<a href="http://www.google.com" rel="nofollow">google</a>', NoteSanitizer.sanitize(body))
+      assert_equal('<a href="http://www.google.com" rel="external noreferrer nofollow">google</a>', NoteSanitizer.sanitize(body))
     end
 
     should "rewrite absolute links to relative links" do
       Danbooru.config.stubs(:hostnames).returns(%w[danbooru.donmai.us sonohara.donmai.us hijiribe.donmai.us])
 
       body = '<a href="http://sonohara.donmai.us/posts?tags=touhou#dtext-intro">touhou</a>'
-      assert_equal('<a href="/posts?tags=touhou#dtext-intro" rel="nofollow">touhou</a>', NoteSanitizer.sanitize(body))
+      assert_equal('<a href="/posts?tags=touhou#dtext-intro" rel="external noreferrer nofollow">touhou</a>', NoteSanitizer.sanitize(body))
     end
 
     should "not fail when rewriting bad links" do
       body = %{<a href ="\nhttp!://www.google.com:12x3">google</a>}
-      assert_equal(%{<a rel="nofollow">google</a>}, NoteSanitizer.sanitize(body))
+      assert_equal(%{<a rel="external noreferrer nofollow">google</a>}, NoteSanitizer.sanitize(body))
     end
   end
 end