Add nofollow attribute for Markdown links

2019-03-13 10:27:18 +01:00 · 2019-03-13 10:27:18 +01:00 · 3d86a42b8b
commit 3d86a42b8b
parent d3b3e15dba
3 changed files with 12 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1008,6 +1008,7 @@ dependencies = [
 "diesel 1.4.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "env_logger 0.6.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "futures 0.1.25 (registry+https://github.com/rust-lang/crates.io-index)",
+ "lazy_static 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "log 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
 "pulldown-cmark 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -14,6 +14,7 @@ chrono = "0.4.6"
 diesel = { version = "1.4.1", features = ["chrono", "postgres"] }
 env_logger = "0.6.0"
 futures = "0.1.25"
+lazy_static = "1.3.0"
 log = "0.4.6"
 pulldown-cmark = "0.2.0"
 rand = "0.6.5"
--- a/src/main.rs
+++ b/src/main.rs
@ -13,12 +13,14 @@ use actix_web::http::header::{
 use actix_web::http::{Method, StatusCode};
 use actix_web::middleware::{DefaultHeaders, Logger};
 use actix_web::{server, App, AsyncResponder, Form, HttpResponse, Path, State};
+use ammonia::Builder;
 use askama::actix_web::TemplateIntoResponse;
 use askama::Template;
 use chrono::{DateTime, Duration, Utc};
 use diesel::prelude::*;
 use futures::future::{self, Either};
 use futures::prelude::*;
+use lazy_static::lazy_static;
 use log::info;
 use pulldown_cmark::{html, Options, Parser};
 use rand::prelude::*;
@ -196,12 +198,19 @@ fn delete_old_pastes(
 }

 fn render_markdown(markdown: &str) -> String {
+    lazy_static! {
+        static ref FILTER: Builder<'static> = {
+            let mut builder = Builder::new();
+            builder.link_rel(Some("noopener noreferrer nofollow"));
+            builder
+        };
+    }
    let mut output = String::new();
    html::push_html(
        &mut output,
        Parser::new_ext(markdown, Options::ENABLE_TABLES),
    );
-    ammonia::clean(&output)
+    FILTER.clean(&output).to_string()
 }

 fn raw(db: State<Database<PgConnection>>, requested_identifier: Path<String>) -> AsyncResponse {