From 8d8f9c8c59ad2960c25bb895e73b8dcbcb5020ed Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sat, 21 Apr 2018 10:25:12 +0200 Subject: [PATCH] html: add nofollow/noopener to links "nofollow" is a deterrent for spammers: they cannot put links and hope to increase their SEO when all these links have the nofollow relationship. "noopener" is a security for links opening a new window. They ensure the target cannot control us. Fix #373 --- isso/tests/test_html.py | 4 ++-- isso/utils/html.py | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/isso/tests/test_html.py b/isso/tests/test_html.py index 316fbf8..327357c 100644 --- a/isso/tests/test_html.py +++ b/isso/tests/test_html.py @@ -65,7 +65,7 @@ class TestHTML(unittest.TestCase): examples = [ ('Look: ', 'Look: '), ('Ha', - 'Ha'), + 'Ha'), ('Ha', 'Ha'), ('

Test

', '

Test

'), ('', 'alert("Onoe")')] @@ -93,4 +93,4 @@ class TestHTML(unittest.TestCase): }) renderer = html.Markup(conf.section("markup")).render self.assertEqual(renderer("http://example.org/ and sms:+1234567890"), - '

http://example.org/ and sms:+1234567890

') + '

http://example.org/ and sms:+1234567890

') diff --git a/isso/utils/html.py b/isso/utils/html.py index fca3c7e..1f5f8cd 100644 --- a/isso/utils/html.py +++ b/isso/utils/html.py @@ -50,6 +50,11 @@ def sanitize(tokenizer, document): if HTML5LIB_VERSION > HTML5LIB_SIMPLETREE: builder = "etree" + + for link in domtree.findall(".//{http://www.w3.org/1999/xhtml}a"): + if link.get('href', None): + link.set("rel", "nofollow noopener") + else: builder = "simpletree"