1<?php
2
3// must be called POST validation
4
5/**
6 * Adds rel="noreferrer" to any links which target a different window
7 * than the current one.  This is used to prevent malicious websites
8 * from silently replacing the original window, which could be used
9 * to do phishing.
10 * This transform is controlled by %HTML.TargetNoreferrer.
11 */
12class HTMLPurifier_AttrTransform_TargetNoreferrer extends HTMLPurifier_AttrTransform
13{
14    /**
15     * @param array $attr
16     * @param HTMLPurifier_Config $config
17     * @param HTMLPurifier_Context $context
18     * @return array
19     */
20    public function transform($attr, $config, $context)
21    {
22        if (isset($attr['rel'])) {
23            $rels = explode(' ', $attr['rel']);
24        } else {
25            $rels = array();
26        }
27        if (isset($attr['target']) && !in_array('noreferrer', $rels)) {
28            $rels[] = 'noreferrer';
29        }
30        if (!empty($rels) || isset($attr['rel'])) {
31            $attr['rel'] = implode(' ', $rels);
32        }
33
34        return $attr;
35    }
36}
37
38