Description: Remove XSS from the link modal
 Editor: Prevent adding javascript: and data: URLs through the inline
 link dialog.
 CVE-2017-14718
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/41401/branches/4.7
Bug-Debian: https://bugs.debian.org/876274
Applied-Upstream: 4.8.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-09-23
--- a/wp-includes/js/tinymce/plugins/wplink/plugin.js
+++ b/wp-includes/js/tinymce/plugins/wplink/plugin.js
@@ -4,7 +4,7 @@
 		renderHtml: function() {
 			return (
 				'<div id="' + this._id + '" class="wp-link-preview">' +
-					'<a href="' + this.url + '" target="_blank" tabindex="-1">' + this.url + '</a>' +
+					'<a href="' + this.url + '" target="_blank" rel="noopener" tabindex="-1">' + this.url + '</a>' +
 				'</div>'
 			);
 		},
@@ -249,6 +249,13 @@
 				text = inputInstance.getLinkText();
 				editor.focus();
 
+				var parser = document.createElement( 'a' );
+				parser.href = href;
+
+				if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+					href = '';
+				}
+
 				if ( ! href ) {
 					editor.dom.remove( linkNode, true );
 					return;
--- a/wp-includes/js/wplink.js
+++ b/wp-includes/js/wplink.js
@@ -312,7 +312,7 @@
 			var html = '<a href="' + attrs.href + '"';
 
 			if ( attrs.target ) {
-				html += ' target="' + attrs.target + '"';
+				html += ' rel="noopener" target="' + attrs.target + '"';
 			}
 
 			return html + '>';
@@ -337,6 +337,13 @@
 			attrs = wpLink.getAttrs();
 			text = inputs.text.val();
 
+			var parser = document.createElement( 'a' );
+			parser.href = attrs.href;
+
+			if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+				attrs.href = '';
+			}
+
 			// If there's no href, return.
 			if ( ! attrs.href ) {
 				return;
@@ -389,6 +396,13 @@
 			var attrs = wpLink.getAttrs(),
 				$link, text, hasText, $mceCaret;
 
+			var parser = document.createElement( 'a' );
+			parser.href = attrs.href;
+
+			if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+				attrs.href = '';
+			}
+
 			if ( ! attrs.href ) {
 				editor.execCommand( 'unlink' );
 				wpLink.close();
